Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
S4.exe

Overview

General Information

Sample name:S4.exe
Analysis ID:1559176
MD5:e1cdd1c7faf2a7e52420b5b2f0acbbbb
SHA1:4e3cab42589161ac3bc073436ae5f7bd6de2bd21
SHA256:7714de0a5a1b922eaa1ec24c8dd6d26b343a891a5401d438b217e368790402da
Tags:exeopendiruser-Joker
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Renames NTDLL to bypass HIPS
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables driver privileges
Enables security privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

  • System is w10x64
  • S4.exe (PID: 5800 cmdline: "C:\Users\user\Desktop\S4.exe" MD5: E1CDD1C7FAF2A7E52420B5B2F0ACBBBB)
  • S4.exe (PID: 5876 cmdline: "C:\Users\user\Desktop\S4.exe" MD5: E1CDD1C7FAF2A7E52420B5B2F0ACBBBB)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: S4.exe PID: 5800JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    Process Memory Space: S4.exe PID: 5876JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\S4.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\S4.exe, ProcessId: 5800, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ 3
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: C:\Users\user\Desktop\QQWER.dllReversingLabs: Detection: 73%
      Source: S4.exeReversingLabs: Detection: 47%
      Source: C:\Users\user\Desktop\QQWER.dllJoe Sandbox ML: detected
      Source: S4.exeJoe Sandbox ML: detected

      Compliance

      barindex
      Source: C:\Users\user\Desktop\S4.exeUnpacked PE file: 0.2.S4.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\S4.exeUnpacked PE file: 5.2.S4.exe.10000000.2.unpack
      Source: S4.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: Binary string: devco n.pdbo source: S4.exe
      Source: Binary string: wntdll.pdbUGP source: S4.exe, 00000000.00000003.1468884285.0000000002ABD000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000000.00000002.2719082161.0000000002C6A000.00000040.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000003.1814357160.0000000002A44000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000002.2719049807.0000000002BF4000.00000040.00000020.00020000.00000000.sdmp, 511543.tmp.0.dr, 519c65.tmp.5.dr
      Source: Binary string: wntdll.pdb source: S4.exe, 00000000.00000003.1468884285.0000000002ABD000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000000.00000002.2719082161.0000000002C6A000.00000040.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000003.1814357160.0000000002A44000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000002.2719049807.0000000002BF4000.00000040.00000020.00020000.00000000.sdmp, 511543.tmp.0.dr, 519c65.tmp.5.dr
      Source: Binary string: DrvInDM U.pdbe source: S4.exe
      Source: Binary string: wuser32.pdb source: S4.exe, 00000000.00000002.2719274148.0000000002E17000.00000040.00000020.00020000.00000000.sdmp, S4.exe, 00000000.00000003.1469704700.0000000002ABF000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000003.1815191631.0000000002A47000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000002.2719241962.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp, 519cc2.tmp.5.dr, 5115d0.tmp.0.dr
      Source: Binary string: devc@on.pdb source: S4.exe
      Source: Binary string: wuser32.pdbUGP source: S4.exe, 00000000.00000002.2719274148.0000000002E17000.00000040.00000020.00020000.00000000.sdmp, S4.exe, 00000000.00000003.1469704700.0000000002ABF000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000003.1815191631.0000000002A47000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000002.2719241962.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp, 519cc2.tmp.5.dr, 5115d0.tmp.0.dr
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A199
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018AD3
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018AD3
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018EEA
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_100193C2
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_100193C2
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10007FDD
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10018801
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10017804
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10011772
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10013C18
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10011C1A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A031
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10024C38
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006051
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006051
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001385A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10002461
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000F472
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1001847E
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10022882
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10025484
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10025484
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_10006495
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006C96
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10014096
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10014096
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FCB0
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_100198CC
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100188E1
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A4E7
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1000210D
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1000210D
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_1000B90D
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10003116
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017D41
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017D41
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FD4D
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10001D56
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10025977
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10010199
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001419C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001419C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008DA3
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100111A7
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007DB8
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp0_2_1001D1C4
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001D1C4
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_100259D9
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100189E6
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000FDEA
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100101FB
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10014203
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000B61E
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_1001221F
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_1001221F
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A236
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1001363D
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001363D
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008E40
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10011653
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10011653
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010255
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010255
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007E55
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_10007E55
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FA6F
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10022A80
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10011E89
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A6C7
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_10017ECA
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010AD6
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010AD6
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10008EDD
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001BADE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100246E4
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100236FF
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100236FF
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FF10
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008B27
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001BB29
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10015B34
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000833D
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp0_2_10012B40
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1000634E
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000B353
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10026356
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp0_2_1001DB5C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_1001DB5C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017B68
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10011772
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10024781
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10024781
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1002378A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1000A7A2
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100137A3
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000F7AC
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008BC4
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10013FC8
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007BCA
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10005FDA
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100253E7
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000B3F0
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1000710E
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1000710E
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp5_2_1000710E
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1000710E
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A199
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10018AD3
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10018AD3
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10018EEA
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_100193C2
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp5_2_100193C2
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10007FDD
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10018801
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_10017804
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10011772
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10013C18
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10011C1A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A031
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10024C38
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1001AC51
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1001AC51
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1001AC51
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10006051
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10006051
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001385A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10002461
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1000F472
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_1001847E
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10022882
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp5_2_10025484
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10025484
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_10006495
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10006C96
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10014096
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10014096
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_100024AC
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_100024AC
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_100024AC
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_100024AC
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000FCB0
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_100198CC
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_100188E1
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001A4E7
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1000210D
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1000210D
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp5_2_1000B90D
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10003116
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10017D41
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10017D41
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000FD4D
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_10001D56
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10025977
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10010199
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_1001419C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_1001419C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10008DA3
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_100111A7
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10007DB8
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_100151BD
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_100151BD
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_100151BD
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp5_2_1001D1C4
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1001D1C4
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_100259D9
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_100221E2
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_100221E2
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_100221E2
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_100221E2
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_100221E2
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_100189E6
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1000FDEA
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_100101FB
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_10014203
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1000B61E
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_1001221F
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_1001221F
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001A236
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1001363D
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001363D
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10008E40
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_10011653
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_10011653
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10010255
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10010255
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10007E55
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp5_2_10007E55
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000FA6F
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10022A80
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10011E89
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001A6C7
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_10017ECA
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10010AD6
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10010AD6
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp5_2_10008EDD
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_1001BADE
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_100246E4
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_100236FF
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_100236FF
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000FF10
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10008B27
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_1001BB29
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_10015B34
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000833D
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp5_2_10012B40
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_1000634E
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000B353
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_10026356
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp5_2_1001DB5C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_1001DB5C
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10017B68
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10011772
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp5_2_10024781
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10024781
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1002378A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1002378A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1002378A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1002378A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1002378A
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001BFA0
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001BFA0
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001BFA0
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp5_2_1001BFA0
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001BFA0
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_1000A7A2
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_100137A3
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000F7AC
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10008BC4
      Source: C:\Users\user\Desktop\S4.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10013FC8
      Source: Joe Sandbox ViewIP Address: 42.193.100.57 42.193.100.57
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: S4.exeString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/
      Source: S4.exeString found in binary or memory: http://42.193.100.57/%E7%89%88%E6%9C%AC%E6%9B%B4%E6%96%B0.txt
      Source: S4.exeString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt
      Source: S4.exe, 00000000.00000002.2717981406.0000000000A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt22658-3693405117-2476756634-1003
      Source: S4.exe, 00000005.00000002.2717957519.0000000000A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt;AE
      Source: S4.exe, 00000000.00000002.2717981406.0000000000A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtJ
      Source: S4.exe, 00000000.00000002.2717981406.0000000000A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtL
      Source: S4.exe, 00000000.00000002.2717981406.0000000000A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtM
      Source: S4.exe, 00000000.00000002.2717981406.0000000000A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtX
      Source: S4.exe, 00000005.00000002.2717957519.0000000000A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtY
      Source: S4.exe, 00000005.00000002.2717957519.0000000000A18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt_
      Source: S4.exe, 00000005.00000002.2717957519.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000002.2717957519.0000000000A18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txta
      Source: S4.exe, 00000000.00000002.2717981406.0000000000A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txts)
      Source: S4.exe, 00000005.00000002.2717957519.0000000000A18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txts.
      Source: S4.exe, 00000000.00000002.2717981406.0000000000AB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtshqos.dll.mui
      Source: S4.exe, 00000000.00000002.2717981406.0000000000A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtx$
      Source: S4.exeString found in binary or memory: http://42.193.100.57/123.txt
      Source: S4.exe, 00000000.00000002.2717981406.0000000000A89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/123.txt&?P
      Source: S4.exe, 00000000.00000002.2717981406.0000000000A89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/123.txt00.57/
      Source: S4.exe, 00000000.00000002.2717981406.0000000000A89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/123.txtH?B
      Source: S4.exe, 00000005.00000002.2717957519.0000000000A72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/123.txtHv
      Source: S4.exeString found in binary or memory: http://42.193.100.57/123.txtPlatform.exe
      Source: S4.exe, 00000005.00000002.2717957519.0000000000A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/123.txthqos.dll.mui
      Source: S4.exe, 00000000.00000002.2717981406.0000000000A89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/123.txtl
      Source: S4.exe, 00000005.00000002.2717957519.0000000000A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/123.txtp
      Source: S4.exe, 00000005.00000002.2717957519.0000000000A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/123.txttxt
      Source: S4.exeString found in binary or memory: http://ocsp.t
      Source: S4.exeString found in binary or memory: http://sf.symc
      Source: S4.exeString found in binary or memory: http://ts-ocsp.ws.s
      Source: S4.exeString found in binary or memory: http://ts-ocsp.ws.symantec.
      Source: S4.exeString found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
      Source: S4.exeString found in binary or memory: https://ww(w.v
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,0_2_1001F2ED
      Source: S4.exe, 00000000.00000002.2717981406.0000000000A38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_6342ca8c-9
      Source: Yara matchFile source: Process Memory Space: S4.exe PID: 5800, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: S4.exe PID: 5876, type: MEMORYSTR
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_10007FDD NtClose,0_2_10007FDD
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_1001419C ReleaseMutex,NtClose,0_2_1001419C
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_1001221F NtClose,0_2_1001221F
      Source: C:\Users\user\Desktop\S4.exeCode function: 5_2_10007FDD NtClose,5_2_10007FDD
      Source: C:\Users\user\Desktop\S4.exeCode function: 5_2_1001419C ReleaseMutex,NtClose,5_2_1001419C
      Source: C:\Users\user\Desktop\S4.exeCode function: 5_2_1001221F NtClose,5_2_1001221F
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_004AD8700_2_004AD870
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_100026280_2_10002628
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_100032EA0_2_100032EA
      Source: C:\Users\user\Desktop\S4.exeCode function: 5_2_100026285_2_10002628
      Source: C:\Users\user\Desktop\S4.exeCode function: 5_2_100032EA5_2_100032EA
      Source: C:\Users\user\Desktop\S4.exeProcess token adjusted: Load DriverJump to behavior
      Source: C:\Users\user\Desktop\S4.exeProcess token adjusted: SecurityJump to behavior
      Source: C:\Users\user\Desktop\S4.exeCode function: String function: 10029640 appears 130 times
      Source: 511543.tmp.0.drStatic PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
      Source: 519c65.tmp.5.drStatic PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
      Source: 519c65.tmp.5.drStatic PE information: No import functions for PE file found
      Source: 511543.tmp.0.drStatic PE information: No import functions for PE file found
      Source: S4.exe, 00000000.00000002.2719082161.0000000002D97000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs S4.exe
      Source: S4.exe, 00000000.00000002.2719274148.0000000002EBF000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs S4.exe
      Source: S4.exe, 00000000.00000003.1468884285.0000000002BE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs S4.exe
      Source: S4.exe, 00000000.00000003.1469704700.0000000002ABF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs S4.exe
      Source: S4.exe, 00000005.00000002.2719049807.0000000002D21000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs S4.exe
      Source: S4.exe, 00000005.00000003.1815191631.0000000002A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs S4.exe
      Source: S4.exe, 00000005.00000003.1814357160.0000000002B67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs S4.exe
      Source: S4.exe, 00000005.00000002.2719241962.0000000002E51000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs S4.exe
      Source: S4.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: QQWER.dll.0.drStatic PE information: Section: .rsrc ZLIB complexity 1.0002780183550337
      Source: 519c65.tmp.5.drBinary string: \Device\IPT[
      Source: classification engineClassification label: mal80.evad.winEXE@2/12@0/1
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_00415B3B GetDiskFreeSpaceExA,0_2_00415B3B
      Source: C:\Users\user\Desktop\S4.exeFile created: C:\Users\user\Desktop\QQWER.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeMutant created: NULL
      Source: C:\Users\user\Desktop\S4.exeFile created: C:\Users\user\AppData\Local\Temp\511543.tmpJump to behavior
      Source: S4.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\S4.exeFile read: C:\Users\user\Desktop\ .iniJump to behavior
      Source: C:\Users\user\Desktop\S4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: S4.exeReversingLabs: Detection: 47%
      Source: unknownProcess created: C:\Users\user\Desktop\S4.exe "C:\Users\user\Desktop\S4.exe"
      Source: unknownProcess created: C:\Users\user\Desktop\S4.exe "C:\Users\user\Desktop\S4.exe"
      Source: C:\Users\user\Desktop\S4.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\S4.exeFile written: C:\Users\user\Desktop\ .iniJump to behavior
      Source: C:\Users\user\Desktop\S4.exeWindow detected: Number of UI elements: 27
      Source: S4.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: S4.exeStatic file information: File size 4952064 > 1048576
      Source: S4.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x13c000
      Source: S4.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x257000
      Source: S4.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x10d000
      Source: Binary string: devco n.pdbo source: S4.exe
      Source: Binary string: wntdll.pdbUGP source: S4.exe, 00000000.00000003.1468884285.0000000002ABD000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000000.00000002.2719082161.0000000002C6A000.00000040.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000003.1814357160.0000000002A44000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000002.2719049807.0000000002BF4000.00000040.00000020.00020000.00000000.sdmp, 511543.tmp.0.dr, 519c65.tmp.5.dr
      Source: Binary string: wntdll.pdb source: S4.exe, 00000000.00000003.1468884285.0000000002ABD000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000000.00000002.2719082161.0000000002C6A000.00000040.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000003.1814357160.0000000002A44000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000002.2719049807.0000000002BF4000.00000040.00000020.00020000.00000000.sdmp, 511543.tmp.0.dr, 519c65.tmp.5.dr
      Source: Binary string: DrvInDM U.pdbe source: S4.exe
      Source: Binary string: wuser32.pdb source: S4.exe, 00000000.00000002.2719274148.0000000002E17000.00000040.00000020.00020000.00000000.sdmp, S4.exe, 00000000.00000003.1469704700.0000000002ABF000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000003.1815191631.0000000002A47000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000002.2719241962.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp, 519cc2.tmp.5.dr, 5115d0.tmp.0.dr
      Source: Binary string: devc@on.pdb source: S4.exe
      Source: Binary string: wuser32.pdbUGP source: S4.exe, 00000000.00000002.2719274148.0000000002E17000.00000040.00000020.00020000.00000000.sdmp, S4.exe, 00000000.00000003.1469704700.0000000002ABF000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000003.1815191631.0000000002A47000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000002.2719241962.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp, 519cc2.tmp.5.dr, 5115d0.tmp.0.dr

      Data Obfuscation

      barindex
      Source: C:\Users\user\Desktop\S4.exeUnpacked PE file: 0.2.S4.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\S4.exeUnpacked PE file: 5.2.S4.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_004ACCC0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_004ACCC0
      Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
      Source: QQWER.dll.0.drStatic PE information: section name: .Upack
      Source: 511543.tmp.0.drStatic PE information: section name: RT
      Source: 511543.tmp.0.drStatic PE information: section name: .mrdata
      Source: 511543.tmp.0.drStatic PE information: section name: .00cfg
      Source: 5115d0.tmp.0.drStatic PE information: section name: .didat
      Source: 519c65.tmp.5.drStatic PE information: section name: RT
      Source: 519c65.tmp.5.drStatic PE information: section name: .mrdata
      Source: 519c65.tmp.5.drStatic PE information: section name: .00cfg
      Source: 519cc2.tmp.5.drStatic PE information: section name: .didat
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_0051BE20 push eax; ret 0_2_0051BE4E
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_0051E094 push eax; ret 0_2_0051E0B2
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_1002C7F8 push edi; ret 0_2_1002C7FC
      Source: C:\Users\user\Desktop\S4.exeCode function: 5_2_0051BE20 push eax; ret 5_2_0051BE4E
      Source: C:\Users\user\Desktop\S4.exeCode function: 5_2_0051E094 push eax; ret 5_2_0051E0B2
      Source: C:\Users\user\Desktop\S4.exeCode function: 5_2_1002C7F8 push edi; ret 5_2_1002C7FC
      Source: QQWER.dll.0.drStatic PE information: section name: .rsrc entropy: 7.999713933191419
      Source: 511543.tmp.0.drStatic PE information: section name: .text entropy: 6.844715065913507
      Source: 519c65.tmp.5.drStatic PE information: section name: .text entropy: 6.844715065913507
      Source: C:\Users\user\Desktop\S4.exeFile created: C:\Users\user\AppData\Local\Temp\5115d0.tmpJump to dropped file
      Source: C:\Users\user\Desktop\S4.exeFile created: C:\Users\user\Desktop\QQWER.dllJump to dropped file
      Source: C:\Users\user\Desktop\S4.exeFile created: C:\Users\user\AppData\Local\Temp\519cc2.tmpJump to dropped file
      Source: C:\Users\user\Desktop\S4.exeFile created: C:\Users\user\AppData\Local\Temp\511543.tmpJump to dropped file
      Source: C:\Users\user\Desktop\S4.exeFile created: C:\Users\user\AppData\Local\Temp\519c65.tmpJump to dropped file
      Source: C:\Users\user\Desktop\S4.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 3Jump to behavior
      Source: C:\Users\user\Desktop\S4.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 3Jump to behavior
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,0_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeCode function: 5_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,5_2_1001F2ED
      Source: C:\Users\user\Desktop\S4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: C:\Users\user\Desktop\S4.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-23236
      Source: C:\Users\user\Desktop\S4.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\S4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5115d0.tmpJump to dropped file
      Source: C:\Users\user\Desktop\S4.exeDropped PE file which has not been started: C:\Users\user\Desktop\QQWER.dllJump to dropped file
      Source: C:\Users\user\Desktop\S4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\519cc2.tmpJump to dropped file
      Source: C:\Users\user\Desktop\S4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\511543.tmpJump to dropped file
      Source: C:\Users\user\Desktop\S4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\519c65.tmpJump to dropped file
      Source: C:\Users\user\Desktop\S4.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\S4.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_1000710E GetVersionExA,GetSystemInfo,RtlGetNtVersionNumbers,0_2_1000710E
      Source: S4.exe, 00000000.00000002.2717981406.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000000.00000002.2717981406.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000002.2717957519.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000002.2717957519.0000000000A93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: S4.exe, 00000005.00000002.2717957519.00000000009D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
      Source: C:\Users\user\Desktop\S4.exeAPI call chain: ExitProcess graph end nodegraph_0-23350
      Source: C:\Users\user\Desktop\S4.exeAPI call chain: ExitProcess graph end nodegraph_5-22397
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_10004B1B LdrInitializeThunk,0_2_10004B1B
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_004ACCC0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_004ACCC0
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_1001A4C7 mov eax, dword ptr fs:[00000030h]0_2_1001A4C7
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_1000AE99 mov eax, dword ptr fs:[00000030h]0_2_1000AE99
      Source: C:\Users\user\Desktop\S4.exeCode function: 5_2_1001A4C7 mov eax, dword ptr fs:[00000030h]5_2_1001A4C7
      Source: C:\Users\user\Desktop\S4.exeCode function: 5_2_1000AE99 mov eax, dword ptr fs:[00000030h]5_2_1000AE99
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_00498C20 GetProcessHeap,RtlAllocateHeap,0_2_00498C20
      Source: C:\Users\user\Desktop\S4.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\S4.exeProcess token adjusted: DebugJump to behavior
      Source: S4.exeBinary or memory string: Shell_TrayWnd
      Source: S4.exe, 00000000.00000002.2717981406.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000000.00000002.2719274148.0000000002E17000.00000040.00000020.00020000.00000000.sdmp, S4.exe, 00000000.00000003.1469704700.0000000002ABF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
      Source: S4.exe, 00000000.00000002.2717981406.0000000000A38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindowV
      Source: S4.exe, 00000000.00000002.2717981406.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000000.00000002.2719274148.0000000002E17000.00000040.00000020.00020000.00000000.sdmp, S4.exe, 00000000.00000003.1469704700.0000000002ABF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
      Source: S4.exeBinary or memory string: @TaskbarCreatedShell_TrayWndTrayNotifyWndSysPagerToolbarWindow3260
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_10019EDC cpuid 0_2_10019EDC
      Source: C:\Users\user\Desktop\S4.exeCode function: 0_2_00537422 GetVersion,InitializeCriticalSection,0_2_00537422
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
      Native API
      1
      Registry Run Keys / Startup Folder
      2
      Process Injection
      1
      Masquerading
      11
      Input Capture
      111
      Security Software Discovery
      Remote Services1
      Screen Capture
      1
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      LSASS Driver
      1
      Registry Run Keys / Startup Folder
      2
      Process Injection
      LSASS Memory1
      Process Discovery
      Remote Desktop Protocol11
      Input Capture
      1
      Ingress Tool Transfer
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading
      1
      LSASS Driver
      1
      Deobfuscate/Decode Files or Information
      Security Account Manager1
      Application Window Discovery
      SMB/Windows Admin Shares1
      Archive Collected Data
      1
      Non-Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      DLL Side-Loading
      4
      Obfuscated Files or Information
      NTDS2
      File and Directory Discovery
      Distributed Component Object ModelInput Capture11
      Application Layer Protocol
      Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
      Software Packing
      LSA Secrets15
      System Information Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading
      Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      S4.exe47%ReversingLabs
      S4.exe100%Joe Sandbox ML
      SourceDetectionScannerLabelLink
      C:\Users\user\Desktop\QQWER.dll100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\511543.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\5115d0.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\519c65.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\519cc2.tmp0%ReversingLabs
      C:\Users\user\Desktop\QQWER.dll73%ReversingLabsWin32.Infostealer.OnlineGames
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://42.193.100.57/123.txthqos.dll.mui0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtY0%Avira URL Cloudsafe
      http://ts-ocsp.ws.s0%Avira URL Cloudsafe
      http://ts-ocsp.ws.symantec.0%Avira URL Cloudsafe
      http://42.193.100.57/123.txtHv0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtX0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/0%Avira URL Cloudsafe
      http://42.193.100.57/123.txt&?P0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt22658-3693405117-2476756634-10030%Avira URL Cloudsafe
      https://ww(w.v0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtx$0%Avira URL Cloudsafe
      http://42.193.100.57/123.txt00.57/0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt_0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtshqos.dll.mui0%Avira URL Cloudsafe
      http://42.193.100.57/%E7%89%88%E6%9C%AC%E6%9B%B4%E6%96%B0.txt0%Avira URL Cloudsafe
      http://42.193.100.57/123.txtH?B0%Avira URL Cloudsafe
      http://ocsp.t0%Avira URL Cloudsafe
      http://42.193.100.57/123.txtp0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txta0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtJ0%Avira URL Cloudsafe
      http://42.193.100.57/123.txtl0%Avira URL Cloudsafe
      http://42.193.100.57/123.txttxt0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtL0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtM0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txts)0%Avira URL Cloudsafe
      http://42.193.100.57/123.txtPlatform.exe0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt;AE0%Avira URL Cloudsafe
      http://sf.symc0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txts.0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt0%Avira URL Cloudsafe
      http://42.193.100.57/123.txt0%Avira URL Cloudsafe
      No contacted domains info
      NameMaliciousAntivirus DetectionReputation
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtfalse
      • Avira URL Cloud: safe
      unknown
      http://42.193.100.57/123.txtfalse
      • Avira URL Cloud: safe
      unknown
      NameSourceMaliciousAntivirus DetectionReputation
      http://www.eyuyan.com)DVarFileInfo$S4.exefalse
        high
        http://42.193.100.57/123.txthqos.dll.muiS4.exe, 00000005.00000002.2717957519.0000000000A80000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/123.txtHvS4.exe, 00000005.00000002.2717957519.0000000000A72000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://ts-ocsp.ws.sS4.exefalse
        • Avira URL Cloud: safe
        unknown
        http://ts-ocsp.ws.symantec.S4.exefalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt22658-3693405117-2476756634-1003S4.exe, 00000000.00000002.2717981406.0000000000A59000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtYS4.exe, 00000005.00000002.2717957519.0000000000A80000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        https://ww(w.vS4.exefalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtXS4.exe, 00000000.00000002.2717981406.0000000000A59000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/123.txt&?PS4.exe, 00000000.00000002.2717981406.0000000000A89000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E5%AD%98%E6%A1%A3/S4.exefalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtshqos.dll.muiS4.exe, 00000000.00000002.2717981406.0000000000AB4000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt_S4.exe, 00000005.00000002.2717957519.0000000000A18000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtx$S4.exe, 00000000.00000002.2717981406.0000000000A59000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/123.txt00.57/S4.exe, 00000000.00000002.2717981406.0000000000A89000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E7%89%88%E6%9C%AC%E6%9B%B4%E6%96%B0.txtS4.exefalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtaS4.exe, 00000005.00000002.2717957519.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, S4.exe, 00000005.00000002.2717957519.0000000000A18000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/123.txtH?BS4.exe, 00000000.00000002.2717981406.0000000000A89000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/123.txtpS4.exe, 00000005.00000002.2717957519.0000000000A80000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://ocsp.tS4.exefalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtJS4.exe, 00000000.00000002.2717981406.0000000000A59000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtMS4.exe, 00000000.00000002.2717981406.0000000000A59000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/123.txtlS4.exe, 00000000.00000002.2717981406.0000000000A89000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtLS4.exe, 00000000.00000002.2717981406.0000000000A59000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/123.txttxtS4.exe, 00000005.00000002.2717957519.0000000000A80000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://sf.symcS4.exefalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txts)S4.exe, 00000000.00000002.2717981406.0000000000A59000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt;AES4.exe, 00000005.00000002.2717957519.0000000000A55000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/123.txtPlatform.exeS4.exefalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txts.S4.exe, 00000005.00000002.2717957519.0000000000A18000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        42.193.100.57
        unknownChina
        4249LILLY-ASUSfalse
        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1559176
        Start date and time:2024-11-20 09:20:44 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 5m 31s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:9
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:S4.exe
        Detection:MAL
        Classification:mal80.evad.winEXE@2/12@0/1
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:Failed
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: S4.exe
        TimeTypeDescription
        09:22:11AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 3 C:\Users\user\Desktop\S4.exe
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        42.193.100.57#U4fdd#U62a4#U795e1.exeGet hashmaliciousUnknownBrowse
        • 42.193.100.57/%E5%8D%83%E5%8D%83%E6%99%9A%E6%98%9F16.exe
        213.exeGet hashmaliciousUnknownBrowse
        • 42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
        211.exeGet hashmaliciousUnknownBrowse
        • 42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
        212.exeGet hashmaliciousUnknownBrowse
        • 42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
        214.exeGet hashmaliciousUnknownBrowse
        • 42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
        No context
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        LILLY-ASUS#U4fdd#U62a4#U795e1.exeGet hashmaliciousUnknownBrowse
        • 42.193.100.57
        213.exeGet hashmaliciousUnknownBrowse
        • 42.193.100.57
        211.exeGet hashmaliciousUnknownBrowse
        • 42.193.100.57
        212.exeGet hashmaliciousUnknownBrowse
        • 42.193.100.57
        214.exeGet hashmaliciousUnknownBrowse
        • 42.193.100.57
        SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
        • 43.155.76.124
        arm7.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
        • 43.52.215.121
        arm.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
        • 43.152.251.74
        x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
        • 40.221.176.183
        https://trackwniw.top/iGet hashmaliciousUnknownBrowse
        • 43.130.33.71
        No context
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Users\user\AppData\Local\Temp\511543.tmp99.exeGet hashmaliciousUnknownBrowse
          211.exeGet hashmaliciousUnknownBrowse
            212.exeGet hashmaliciousUnknownBrowse
              214.exeGet hashmaliciousUnknownBrowse
                SecuriteInfo.com.Win32.Evo-gen.19313.28597.exeGet hashmaliciousUnknownBrowse
                  file.exeGet hashmaliciousUnknownBrowse
                    file.exeGet hashmaliciousUnknownBrowse
                      file.exeGet hashmaliciousUnknownBrowse
                        BCNFNjvJNq.exeGet hashmaliciousADWIND, Lokibot, Ramnit, SalityBrowse
                          cnlg48.exeGet hashmaliciousUnknownBrowse
                            C:\Users\user\AppData\Local\Temp\5115d0.tmp99.exeGet hashmaliciousUnknownBrowse
                              211.exeGet hashmaliciousUnknownBrowse
                                212.exeGet hashmaliciousUnknownBrowse
                                  214.exeGet hashmaliciousUnknownBrowse
                                    SecuriteInfo.com.Win32.Evo-gen.19313.28597.exeGet hashmaliciousUnknownBrowse
                                      file.exeGet hashmaliciousUnknownBrowse
                                        file.exeGet hashmaliciousUnknownBrowse
                                          file.exeGet hashmaliciousUnknownBrowse
                                            FZ6oyLoqGM.exeGet hashmaliciousUnknownBrowse
                                              Lisect_AVT_24003_G1A_54.exeGet hashmaliciousBdaejecBrowse
                                                Process:C:\Users\user\Desktop\S4.exe
                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):1699896
                                                Entropy (8bit):6.290547513916722
                                                Encrypted:false
                                                SSDEEP:24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
                                                MD5:5564A98A4692BA8B2D25770FB834D5F6
                                                SHA1:129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
                                                SHA-256:28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
                                                SHA-512:D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Joe Sandbox View:
                                                • Filename: 99.exe, Detection: malicious, Browse
                                                • Filename: 211.exe, Detection: malicious, Browse
                                                • Filename: 212.exe, Detection: malicious, Browse
                                                • Filename: 214.exe, Detection: malicious, Browse
                                                • Filename: SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe, Detection: malicious, Browse
                                                • Filename: file.exe, Detection: malicious, Browse
                                                • Filename: file.exe, Detection: malicious, Browse
                                                • Filename: file.exe, Detection: malicious, Browse
                                                • Filename: BCNFNjvJNq.exe, Detection: malicious, Browse
                                                • Filename: cnlg48.exe, Detection: malicious, Browse
                                                Reputation:moderate, very likely benign file
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................
                                                Process:C:\Users\user\Desktop\S4.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):1679648
                                                Entropy (8bit):5.3288490918902225
                                                Encrypted:false
                                                SSDEEP:24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
                                                MD5:2E8AB67DC55089DFBCBFA7710BD15B07
                                                SHA1:159434853CE512029314C6B70070220D251A924A
                                                SHA-256:2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
                                                SHA-512:7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Joe Sandbox View:
                                                • Filename: 99.exe, Detection: malicious, Browse
                                                • Filename: 211.exe, Detection: malicious, Browse
                                                • Filename: 212.exe, Detection: malicious, Browse
                                                • Filename: 214.exe, Detection: malicious, Browse
                                                • Filename: SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe, Detection: malicious, Browse
                                                • Filename: file.exe, Detection: malicious, Browse
                                                • Filename: file.exe, Detection: malicious, Browse
                                                • Filename: file.exe, Detection: malicious, Browse
                                                • Filename: FZ6oyLoqGM.exe, Detection: malicious, Browse
                                                • Filename: Lisect_AVT_24003_G1A_54.exe, Detection: malicious, Browse
                                                Reputation:moderate, very likely benign file
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................
                                                Process:C:\Users\user\Desktop\S4.exe
                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):1699896
                                                Entropy (8bit):6.290547513916722
                                                Encrypted:false
                                                SSDEEP:24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
                                                MD5:5564A98A4692BA8B2D25770FB834D5F6
                                                SHA1:129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
                                                SHA-256:28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
                                                SHA-512:D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Reputation:moderate, very likely benign file
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................
                                                Process:C:\Users\user\Desktop\S4.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):1679648
                                                Entropy (8bit):5.3288490918902225
                                                Encrypted:false
                                                SSDEEP:24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
                                                MD5:2E8AB67DC55089DFBCBFA7710BD15B07
                                                SHA1:159434853CE512029314C6B70070220D251A924A
                                                SHA-256:2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
                                                SHA-512:7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Reputation:moderate, very likely benign file
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................
                                                Process:C:\Users\user\Desktop\S4.exe
                                                File Type:PC bitmap, Windows 3.x format, 88 x 30 x 24, image size 7920, cbSize 7974, bits offset 54
                                                Category:dropped
                                                Size (bytes):7974
                                                Entropy (8bit):5.673356453027983
                                                Encrypted:false
                                                SSDEEP:192:Ff/ZR+G5hr4gwFy2EmU8fTDAa/AUdiwcWOWNnLV:FfbEzsxUdinWDh
                                                MD5:7E50424DE95D765740BCE30899FA4E3B
                                                SHA1:306B279E18EB8830960449758C025C0F13F7A484
                                                SHA-256:1886332AA5F083560E14B3E7DAEF8BFBFA7BE16FBD93CC10CD84C11C87014AA6
                                                SHA-512:4E9349366B4A16111B47E6E78D289DC22892BA7B2E5E5A8F46C808CA268FEEE1D7483A4E43F46686DB24E4C50C4BABBD2A8722D323A25C7656F31C45D186B5A3
                                                Malicious:false
                                                Preview:BM&.......6...(...X...................................P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1....................................................................................................................................................................................|..p.........................................................................~..~..}..}..}..{..{..{..{..z..y..y..x..x..w..w..w..v..u..u..u..t..t..s..s..r..q..q..q..q..p..o..o..n..n..m..m..l..k..k..j..j..i..i..h..h..h..h..g..f..f..e..e..o........................................................................~..~..~..}..}..{..{..{..z..z..z..y..x..x..w..w..w..
                                                Process:C:\Users\user\Desktop\S4.exe
                                                File Type:PC bitmap, Windows 3.x format, 113 x 35 x 24, image size 11900, cbSize 11954, bits offset 54
                                                Category:dropped
                                                Size (bytes):11954
                                                Entropy (8bit):5.409855539827035
                                                Encrypted:false
                                                SSDEEP:192:fZQMVQGPMZvJHDbHCWRi+vExCtcPvo+zyjDEz4D5fpDvzmJ7If8:fZQyQ+GhXb/eycPvvzyjgz49fpjzmJ8E
                                                MD5:C493B0AA16D37E5FEFD7B9122541CE9C
                                                SHA1:1C472E2C8E6D10D5B266F88EC2FD054413470D4E
                                                SHA-256:F98734C3B9559D549C65DCE47EE33E7037EB35055B548B7D0B4773777052FFB5
                                                SHA-512:1819E0B95F10BC019217B59F2540E01C6D05F10F0AF8F8EBBF5EEFC5DB0EA15E715858DF2CD0E2A23E37E415F540016174C8C7741DAAE30686FFE6E8019C449C
                                                Malicious:false
                                                Preview:BM........6...(...q...#...........|...................) .) ..b$.+../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../.+.b$) ..F4..+.#...............................................................................................~..~..}..}..|..|..{..|..{..{..z..z..y..y..x..x..w..w..v..w..v..v..u..u..t..t..s..s..r..r..q..r..q..q..p..p..o..o..n..n..m..m..l..m..l..l..k..k..j..j..i..i..h..h..g..h..g..g..f..f..g..w..".+..+...................................................................................................~..~..}..~..}..}..|..|..{..{..z..z..y..y..x..y..x..x..w..w..v..v..u..u..t..t..s..t..s..s..r..r..q..q..p..p..o..o..n..o
                                                Process:C:\Users\user\Desktop\S4.exe
                                                File Type:PC bitmap, Windows 3.x format, 30 x 30 x 24, image size 2760, cbSize 2814, bits offset 54
                                                Category:dropped
                                                Size (bytes):2814
                                                Entropy (8bit):6.009651948393757
                                                Encrypted:false
                                                SSDEEP:48:twMisdyOfXdCbp////K8//fPLoM7P7xN7e9oS/v/0lUpR2WC7Hn:7yO/dC1////T//fP8gu3/v/0lUpR2b7H
                                                MD5:BE0F9D021BF9ED2CEA9572D88BFA9E02
                                                SHA1:8DE179621E6E5C5DEDF5C8F5A3F917062C7ACDD4
                                                SHA-256:8629EDCDBA642EEECA74DD4CFBF72AA1FF61C8039D8851175017E582B25E64B8
                                                SHA-512:849FA4B9883800A490F558A35361FB2849D986D1917AF7FF5F45AF2E2EEC758BC33C0CF7D20BDC108D29D0FE1021B6390E12B9BB02DEDAF33C442AD633124B9E
                                                Malicious:false
                                                Preview:BM........6...(.......................................*$3+&4+'6+'7,(8+':,)<+)=+)>,)?-*A+)@+)A+*B,+D,+D,+F++F,,I,+H,+I,,K-.L,-M,-M,-N,.O..Q./R./S..+$.*$.,%0*%2+%3+&4,&5+'6,(8+(9(#5# 6!.:!.;".;!.=#.<".>".>".?".?!.A#.@" A# B" C#!C&$E*(I,,J..*")*#**$,*$,+$.+$/,%1+%2+%3($0#.C)..-...../../../../../../../../../../../../.....,..(.}*(D..*"&)"'*"()")*"*("**#,*$-+$.#.',..0..1..0..1..0..1..0..0..1..0..0..0..1..1..0..1..0..0..*.s..* "*!#)!$*!%*"&*#'*"(*"),$-#.$6 .6 .6 .6 .6 .6 .6 .6..6 .6 .6..6 .6..6 .6 .6 .6 .6 .6 ./ ...)..(. ) !) !* #) #)!$*)0,;Y&1G=+.>(.>(.>(.>(.>(.>(.>(.>(.>'.>(.>(.>(.>(.>(.>(.>'.>(.>(.4$...)..)..) ) ). ) )!"/x.0..8..5U.B7.F0.G0.G0.F/.G0.G0.F/.G0.F/.F/.F/.F/.F/.F/.F/.G0.G0.9)...*..)..)..(..)..(..(..=..>..<..S..Jd.K9.O8.O7.O7.O8.O8.O8.O8.O8.O8.O7.O8.O7.O8.O8.O8.O8.>-...)..)..*..)..*..*..*..Jjp[..c..B..D..HF.W?.W?.W?.W?.W?.W@.W@.W@.W@.V?.W@.W?.W@.W@.W@.W?.C2...)..(..)..(..)..(..)..,"!FUYQ..:..9..VN.]E.]F.]H.]J.^M.^R.^X.^V.]P.]M.]J.]G.]E.]E.]F.]E.G6...)..)..)..)..)..)..)..)..).
                                                Process:C:\Users\user\Desktop\S4.exe
                                                File Type:PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
                                                Category:dropped
                                                Size (bytes):931
                                                Entropy (8bit):7.686509007424359
                                                Encrypted:false
                                                SSDEEP:24:P5FBJ4EF5F6lwDXJwWtWXeStXMyNr2Y5idf3Gi7:P57PF6l4XeeuNJNr5Kf2o
                                                MD5:4FEDCB19004834F7720C4CD7C387F98A
                                                SHA1:C05E45AC4FC4DF921E8C11574DE42AA48ED21809
                                                SHA-256:D24F79618C29D22DEE06477554CBDA92C7C0226DF9688133271996EDF2332DD3
                                                SHA-512:928A32FAA980C6CCCDD4251072F3096A3194FA5D59DD03B74273D69FFF6BD0C7C882A440D7A20A3DA2807D892D1B20E4E3A624919CB21E593CC0F38E8B600878
                                                Malicious:false
                                                Preview:.PNG........IHDR..............T<.....sRGB.........gAMA......a.....pHYs..........o.d...8IDATHK..kH.Q...,..........zk+.n.y.`-0.l-5..Pi...X.i.e....Y..A.].!D%#.2*.HB+(+(..m....J.k.<...}.3s.C.:,.=!...`O...".....Rpqv...b.W.'I=k7aER8R.._.Z./....+..v.7Wg...H.9...ip.JR..........A.%...u.c..3..6,)L.3.r7..rx..>.O.2FJ.R.16R..F\...!._.5..E............r...!a.A...O.;h.+L..|.-f.7..T3.u....Rx{z........0....M4..~s....p.-.w{...x......9-.w.~v&Jo98"C5x..8>....sL>.E~v.|.......U.rlg.y.}....3Q)..&n}...+...O8.O..2\~..(A.........:......c.b..'%.(.....O.W..F....'j_.h4~J.2.>..1%.........2>.Z....J.Y.C4L.fk.r.u.c.f.....r:.V"..%...(FAv.(K.H.F..c..w..0p.H@..Bd...N..].....1...,.M7.....2._p.........6.`...&4......637/.!&..;i?;.@.R.$.q.5..m9..u.y>.LOk.X.s..>k?....<?....PQ............r6..E[..fX..s.:.....G.IH.?la..=_.J...8.4....F.;.yI.>.R.+O.lv..s.+.......h!.......-..,..&I=k7.......a..'dED...Y...{...>.g........IEND.B`.
                                                Process:C:\Users\user\Desktop\S4.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):19
                                                Entropy (8bit):3.536886723742169
                                                Encrypted:false
                                                SSDEEP:3:Vv:Vv
                                                MD5:6CAEF80C0A930A24861D178A7E6BDEA6
                                                SHA1:BEE0E634AE94E72C73BF17B5F97D9F9BDDE2DAD0
                                                SHA-256:004A2BE320DC08F26F0BBB9919DDBDE7EE6A4D291A63E1C769C1A9F0F9C70286
                                                SHA-512:A183F3934D08AA52956A01DE9D13D83C3437E55149F153B011DA8F02E04E513F571EE334A4256829504521F667D5174D806EDC3EE251953D77F96EDD896D89DC
                                                Malicious:false
                                                Preview:[Cofig]..Z1=..Z2=..
                                                Process:C:\Users\user\Desktop\S4.exe
                                                File Type:PC bitmap, Windows 3.x format, 122 x 40 x 24, image size 14720, cbSize 14774, bits offset 54
                                                Category:dropped
                                                Size (bytes):14774
                                                Entropy (8bit):4.868699837953847
                                                Encrypted:false
                                                SSDEEP:384:fDinzsGO052UtTri2fzOJ3pzvdTzD8mZxEBxQ74w2jBfG79s6OY:riA/w1ObZSny4dRI9Hh
                                                MD5:EE883808D176D23096A2D4F339C84368
                                                SHA1:D901775EDE136567215ABE718023C1A62F46A0A6
                                                SHA-256:3D28C7A863B6E937EBC72AD585F94359B6BC2FF8523173DB0FEEFBC803AB372B
                                                SHA-512:F14CF6522847121246B7913FA1C800227EEEAFAE5F7AA44D2E45ED55EC50B2A729C109B222D0F2E3FECFB3B16031AEF742C286DA0393322A73C4B182C71033D3
                                                Malicious:false
                                                Preview:BM.9......6...(...z...(............9..............................................................................................................................~..~..~..~..}..}..}..}..|..|..{..{..{..{..z..z..z..z..y..y..x..y..x..x..w..x..w..w..v..v..v..v..u..u..t..t..t..t..s..s..s..s..r..r..q..r..q..q..p..q..p..p..o..o..o..o..n..n..m..n..m..m..l..l..l..l..k..k..j..k................................................................................................................~..~..}..}..}..}..|..|..|..|..{..{..z..{..z..z..y..z..y..y..x..x..x..x..w..w..v..v..v..v..u..u..u..u..t..t..s..t..s..s..r..s..r..r..q..q..q..q..p..p..o..p..o..o..n..n..n..n..m..m..l..m..l..l..k..l..k..k..j..j...............................................................................................................~..~..~..~..}..}..|..}..|..|..{..{..{..{..z..z..y..z.
                                                Process:C:\Users\user\Desktop\S4.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):687517
                                                Entropy (8bit):7.999653084247243
                                                Encrypted:true
                                                SSDEEP:12288:nAPtAe/2ByNkI6K8Pi7GMskNEkzJ0x1d2GpSI5EwLtwun3aPh:nEtAemv+hNZGTds9UtwgqPh
                                                MD5:4B7109E2F77FF15219B81079DF8C12B2
                                                SHA1:AB3BF417AF304B83CD49707E399BC06E1E10D519
                                                SHA-256:BE7A0A59B36299F40D6AC2FC126ACFD6C8BBFF8C4F8D9D85267DF3E2E1E3AED3
                                                SHA-512:770EBECF21AAD663BB27F7800AE476FF3B9EF444FF661916CB50E65AE4987DDE7413E4AE83FD152C47A296C13E41D4544AED3C780F0F5958BB605F57016537E7
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 73%
                                                Preview:MZKERNEL32.DLL..LoadLibraryA....GetProcAddress..UpackByDwing@...PE..L..................!...9.`..........`X.......p......................................................................,[..q....[..............................H........................................................................................Upack..............................`....rsrc............{..................`........[...............Z...Z...Z...Z...Z.......Z...Z...X.......[.......Y......|...........u...............................*..T...h........Zx.)1Y"F..,...L..F.4."W|..5P......A...c]...J..X.;/.T..|...~.d.W..........(k.../.!.y..0Kol.Ty..N...yg....-.GI....@.c..g:...!.Oo..j..N.h6x..9)B.Iw.4Z}..g.CCN......X...:.`......!y.p.^=..;..!.......83..W..W...h.?$R.Q....$..+......... 6....3..i...<.Z.\...r.T....,.).s..~.V.......^].k.[....bQ....+Y.';C.._.R. fq......y..X.8t2.J.....4B...m.....A...a.8..F....51mt6e..Yec..A...q......:..)..l.O!.S..8.f..X....k.....!B..Z<.\.C....kc(...0..#.M}+@..X.g;P..r....x.
                                                Process:C:\Users\user\Desktop\S4.exe
                                                File Type:PC bitmap, Windows 3.x format, 35 x 20 x 24, image size 2160, cbSize 2214, bits offset 54
                                                Category:dropped
                                                Size (bytes):2214
                                                Entropy (8bit):3.158509986026752
                                                Encrypted:false
                                                SSDEEP:48:JouFFFFFF8JuJuJuJuJuJuJuJuzQotg8UOub4FFXF2UuJuJVHuFFFFFF8JuJuJuf:yuFFFFFFAtgoFFXFZuFFFFFFf
                                                MD5:DF205D271276F748CEF591CBD2DB34AD
                                                SHA1:78CF2060CEE78621E753CADA5317CFACB81A88DD
                                                SHA-256:437ED3561E75CF67ADC1A44CEDBFC57874EDF85C2D84E8F1484E2CBDD4EED7EB
                                                SHA-512:11FA8EAAB577FB1B828187D79AA862E6AA7B1CAE55143AFC4F007DF71D0B66659AFAD26533125F2DE37FB31E57E2043265F08E7042434593DA988279FCA33538
                                                Malicious:false
                                                Preview:BM........6...(...#...............p...................%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..$..%..%..%..$..%..%..%..$..%..%..%..$..%..%..%..$..%..%..%..$..%..%..%..$..%..%..%..$..%..%..%..$.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%.....%..%..%..%..%...........%..%..%..%..%..%..............%..%..%..%..%..%..%..%..%.....%..%........%..%..%........%..%..%........%.....%..%...........%.....%..%........%..%........%..%..%..%.....%..%..$..%........$..%........$..%........$........%..$..%..............%........%..............%..%..$.....%..%..%..%...........%........%..%........%........%...........%..%..............%........%..%..%..%..%.....%..%..%..%........%..%..%........%........%..%..%..%..%..%...........%............
                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):6.435058563102442
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:S4.exe
                                                File size:4'952'064 bytes
                                                MD5:e1cdd1c7faf2a7e52420b5b2f0acbbbb
                                                SHA1:4e3cab42589161ac3bc073436ae5f7bd6de2bd21
                                                SHA256:7714de0a5a1b922eaa1ec24c8dd6d26b343a891a5401d438b217e368790402da
                                                SHA512:5467c64a43e94e7a9bc85e2c27b7d3246a3ceb70978499238c7d6b68c16eb336492466103abf210e98179b855d360c9a5f142512ba5d33e8609fe262f3cfa877
                                                SSDEEP:49152:kpAqdPkRCqm0EtDmv+h6T2C7qPNChFQjwOybEkTowOybEkTT:7qdcRCqxKoRdqPUGwOm5TowOm5TT
                                                TLSH:9636AD037212C8A7D11027B455A1E338E5B64FE03C35CA47EBF0FC67BEB66634A66589
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................q...........................A...q......................................................
                                                Icon Hash:37617db97159392f
                                                Entrypoint:0x51a829
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                DLL Characteristics:
                                                Time Stamp:0x673D767C [Wed Nov 20 05:41:16 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:18a1e39382b63e85ee686680a4f065d3
                                                Instruction
                                                push ebp
                                                mov ebp, esp
                                                push FFFFFFFFh
                                                push 00787830h
                                                push 0051D694h
                                                mov eax, dword ptr fs:[00000000h]
                                                push eax
                                                mov dword ptr fs:[00000000h], esp
                                                sub esp, 58h
                                                push ebx
                                                push esi
                                                push edi
                                                mov dword ptr [ebp-18h], esp
                                                call dword ptr [0053D1C4h]
                                                xor edx, edx
                                                mov dl, ah
                                                mov dword ptr [007E6FE4h], edx
                                                mov ecx, eax
                                                and ecx, 000000FFh
                                                mov dword ptr [007E6FE0h], ecx
                                                shl ecx, 08h
                                                add ecx, edx
                                                mov dword ptr [007E6FDCh], ecx
                                                shr eax, 10h
                                                mov dword ptr [007E6FD8h], eax
                                                push 00000001h
                                                call 00007F22C898DC96h
                                                pop ecx
                                                test eax, eax
                                                jne 00007F22C8987C7Ah
                                                push 0000001Ch
                                                call 00007F22C8987D38h
                                                pop ecx
                                                call 00007F22C898DA41h
                                                test eax, eax
                                                jne 00007F22C8987C7Ah
                                                push 00000010h
                                                call 00007F22C8987D27h
                                                pop ecx
                                                xor esi, esi
                                                mov dword ptr [ebp-04h], esi
                                                call 00007F22C898D86Fh
                                                call dword ptr [0053D364h]
                                                mov dword ptr [007EC224h], eax
                                                call 00007F22C898D72Dh
                                                mov dword ptr [007E6F50h], eax
                                                call 00007F22C898D4D6h
                                                call 00007F22C898D418h
                                                call 00007F22C898C349h
                                                mov dword ptr [ebp-30h], esi
                                                lea eax, dword ptr [ebp-5Ch]
                                                push eax
                                                call dword ptr [0053D1DCh]
                                                call 00007F22C898D3A9h
                                                mov dword ptr [ebp-64h], eax
                                                test byte ptr [ebp-30h], 00000001h
                                                je 00007F22C8987C78h
                                                movzx eax, word ptr [ebp+00h]
                                                Programming Language:
                                                • [ C ] VS98 (6.0) SP6 build 8804
                                                • [C++] VS98 (6.0) SP6 build 8804
                                                • [C++] VS98 (6.0) build 8168
                                                • [ C ] VS98 (6.0) build 8168
                                                • [EXP] VC++ 6.0 SP5 build 8804
                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x3907700x140.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ed0000x10ce8c.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x13d0000x7b4.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x13b96e0x13c0006201a0158dc813617f7e0503e8a4b7b4False0.41751523561115506data6.429370520991287IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x13d0000x25604c0x2570009af8f06a37bc2cb2541b910b419ef702unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x3940000x5822a0x1800072fa5d0da2b98d841938b566a9813befFalse0.309173583984375data5.047091030747667IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x3ed0000x10ce8c0x10d0004ffa8ef9b3c8febba60053b45f3847c3False0.4435626742565056data5.238795401055608IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                TEXTINCLUDE0x3edb9c0xbASCII text, with no line terminatorsChineseChina1.7272727272727273
                                                TEXTINCLUDE0x3edba80x16dataChineseChina1.3636363636363635
                                                TEXTINCLUDE0x3edbc00x151C source, ASCII text, with CRLF line terminatorsChineseChina0.6201780415430267
                                                RT_CURSOR0x3edd140x134dataChineseChina0.5811688311688312
                                                RT_CURSOR0x3ede480x134Targa image data - Map 64 x 65536 x 1 +32 "\001"ChineseChina0.37662337662337664
                                                RT_CURSOR0x3edf7c0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"ChineseChina0.4805194805194805
                                                RT_CURSOR0x3ee0b00xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"ChineseChina0.7
                                                RT_BITMAP0x3ee1640x248Device independent bitmap graphic, 64 x 15 x 4, image size 480ChineseChina0.3407534246575342
                                                RT_BITMAP0x3ee3ac0x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.4444444444444444
                                                RT_BITMAP0x3ee4f00x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.26453488372093026
                                                RT_BITMAP0x3ee6480x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2616279069767442
                                                RT_BITMAP0x3ee7a00x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2441860465116279
                                                RT_BITMAP0x3ee8f80x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.24709302325581395
                                                RT_BITMAP0x3eea500x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2238372093023256
                                                RT_BITMAP0x3eeba80x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.19476744186046513
                                                RT_BITMAP0x3eed000x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.20930232558139536
                                                RT_BITMAP0x3eee580x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.18895348837209303
                                                RT_BITMAP0x3eefb00x5e4Device independent bitmap graphic, 70 x 39 x 4, image size 1404ChineseChina0.34615384615384615
                                                RT_BITMAP0x3ef5940xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80ChineseChina0.44565217391304346
                                                RT_BITMAP0x3ef64c0x16cDevice independent bitmap graphic, 39 x 13 x 4, image size 260ChineseChina0.28296703296703296
                                                RT_BITMAP0x3ef7b80x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.37962962962962965
                                                RT_ICON0x3ef8fc0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640ChineseChina0.26344086021505375
                                                RT_ICON0x3efbe40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192ChineseChina0.41216216216216217
                                                RT_ICON0x3efd0c0x108028Device independent bitmap graphic, 512 x 1024 x 32, image size 20971520.4574317932128906
                                                RT_MENU0x4f7d340xcdataChineseChina1.5
                                                RT_MENU0x4f7d400x284dataChineseChina0.5
                                                RT_DIALOG0x4f7fc40x98dataChineseChina0.7171052631578947
                                                RT_DIALOG0x4f805c0x17adataChineseChina0.5185185185185185
                                                RT_DIALOG0x4f81d80xfadataChineseChina0.696
                                                RT_DIALOG0x4f82d40xeadataChineseChina0.6239316239316239
                                                RT_DIALOG0x4f83c00x8aedataChineseChina0.39603960396039606
                                                RT_DIALOG0x4f8c700xb2dataChineseChina0.7359550561797753
                                                RT_DIALOG0x4f8d240xccdataChineseChina0.7647058823529411
                                                RT_DIALOG0x4f8df00xb2dataChineseChina0.6629213483146067
                                                RT_DIALOG0x4f8ea40xe2dataChineseChina0.6637168141592921
                                                RT_DIALOG0x4f8f880x18cdataChineseChina0.5227272727272727
                                                RT_STRING0x4f91140x50dataChineseChina0.85
                                                RT_STRING0x4f91640x2cdataChineseChina0.5909090909090909
                                                RT_STRING0x4f91900x78dataChineseChina0.925
                                                RT_STRING0x4f92080x1c4dataChineseChina0.8141592920353983
                                                RT_STRING0x4f93cc0x12adataChineseChina0.5201342281879194
                                                RT_STRING0x4f94f80x146dataChineseChina0.6288343558282209
                                                RT_STRING0x4f96400x40dataChineseChina0.65625
                                                RT_STRING0x4f96800x64dataChineseChina0.73
                                                RT_STRING0x4f96e40x1d8dataChineseChina0.6758474576271186
                                                RT_STRING0x4f98bc0x114dataChineseChina0.6376811594202898
                                                RT_STRING0x4f99d00x24dataChineseChina0.4444444444444444
                                                RT_GROUP_CURSOR0x4f99f40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.25
                                                RT_GROUP_CURSOR0x4f9a080x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.25
                                                RT_GROUP_CURSOR0x4f9a1c0x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina1.0294117647058822
                                                RT_GROUP_ICON0x4f9a400x14Targa image data - Map 32 x 32808 x 161.1
                                                RT_GROUP_ICON0x4f9a540x14dataChineseChina1.2
                                                RT_GROUP_ICON0x4f9a680x14dataChineseChina1.25
                                                RT_VERSION0x4f9a7c0x240dataChineseChina0.5642361111111112
                                                RT_MANIFEST0x4f9cbc0x1cdXML 1.0 document, ASCII text, with very long lines (461), with no line terminators0.5878524945770065
                                                DLLImport
                                                WINMM.dllmidiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutRestart, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, waveOutClose, midiStreamStop, midiOutReset, midiStreamClose, midiStreamRestart, waveOutGetNumDevs
                                                WS2_32.dllWSAAsyncSelect, closesocket, send, select, WSAStartup, inet_ntoa, recvfrom, ioctlsocket, recv, getpeername, accept, WSACleanup, ntohl
                                                RASAPI32.dllRasGetConnectStatusA, RasHangUpA
                                                KERNEL32.dllMultiByteToWideChar, SetLastError, GetTimeZoneInformation, GetVersion, lstrcmpiA, FileTimeToSystemTime, CreateMutexA, ReleaseMutex, SuspendThread, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, GetFileTime, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, lstrcmpA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, DuplicateHandle, lstrcpynA, FileTimeToLocalFileTime, LocalFree, WideCharToMultiByte, InterlockedDecrement, InterlockedIncrement, OpenProcess, TerminateProcess, GetCurrentProcess, GetFileSize, SetFilePointer, CreateToolhelp32Snapshot, Process32First, Process32Next, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, RemoveDirectoryA, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GetDriveTypeA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, ExpandEnvironmentStringsA, GlobalAlloc, GlobalLock, GlobalUnlock, FindFirstFileA, FindClose, SetFileAttributesA, GetFileAttributesA, DeleteFileA, GetCurrentDirectoryA, SetCurrentDirectoryA, InterlockedExchange, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, GetCommandLineA, GetTickCount, CreateProcessA, WaitForSingleObject, CloseHandle, RtlUnwind, GetSystemTime, GetLocalTime, RaiseException, HeapSize, GetACP, SetStdHandle, GetFileType, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, VirtualAlloc, IsBadWritePtr, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, TerminateThread
                                                USER32.dllSetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, IsIconic, PeekMessageA, SetMenu, GetMenu, DeleteMenu, GetSystemMenu, DefWindowProcA, GetClassInfoA, IsZoomed, PostQuitMessage, WinHelpA, KillTimer, SetTimer, LoadStringA, CopyAcceleratorTableA, GetKeyState, TranslateAcceleratorA, IsWindowEnabled, ShowWindow, SystemParametersInfoA, LoadImageA, EnumDisplaySettingsA, ClientToScreen, EnableMenuItem, GetSubMenu, GetDlgCtrlID, CreateAcceleratorTableA, CreateMenu, ModifyMenuA, AppendMenuA, CreatePopupMenu, DrawIconEx, CreateIconFromResource, CreateIconFromResourceEx, RegisterClipboardFormatA, SetRectEmpty, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, IntersectRect, DestroyIcon, DispatchMessageA, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, SetCursorPos, GetMenuCheckMarkDimensions, GetMenuState, SetMenuItemBitmaps, CheckMenuItem, MoveWindow, IsDialogMessageA, ScrollWindowEx, SendDlgItemMessageA, MapWindowPoints, AdjustWindowRectEx, GetScrollPos, RegisterClassA, GetMenuItemCount, GetMenuItemID, GetClassLongA, SetPropA, GetPropA, RemovePropA, GetMessageTime, GetLastActivePopup, GetForegroundWindow, RegisterWindowMessageA, GetWindowPlacement, GetNextDlgTabItem, EndDialog, CreateDialogIndirectParamA, DestroyWindow, GrayStringA, TabbedTextOutA, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, ReleaseDC, IsChild, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, WaitForInputIdle, GetMessageA, WindowFromPoint, DrawFocusRect, DrawEdge, DrawFrameControl, TranslateMessage, LoadIconA, GetDesktopWindow, GetClassNameA, GetWindowThreadProcessId, FindWindowA, UnregisterClassA, GetDlgItem, GetWindowTextA, CallWindowProcA, RegisterHotKey, UnregisterHotKey, DrawTextA, SetWindowsHookExA, UnhookWindowsHookEx, EnumThreadWindows, GetWindowTextLengthA, EnumChildWindows, CallNextHookEx, GetWindowDC, GetSysColorBrush, FrameRect, SetWindowTextA, PtInRect, CreateWindowExA, CharUpperA, BeginPaint, EndPaint
                                                GDI32.dllGetViewportExtEx, ExtSelectClipRgn, Arc, GetTextExtentPoint32A, GetDeviceCaps, CreateRoundRectRgn, CreateEllipticRgn, PathToRegion, EndPath, BeginPath, GetWindowOrgEx, GetViewportOrgEx, GetWindowExtEx, GetDIBits, RealizePalette, SelectPalette, StretchBlt, CreatePalette, GetSystemPaletteEntries, DeleteObject, SelectClipRgn, CreatePolygonRgn, GetClipRgn, SetStretchBltMode, SetPixel, CreateRectRgnIndirect, SetBkColor, CreateFontA, TranslateCharsetInfo, SetBkMode, LineTo, MoveToEx, SetTextColor, CreateEllipticRgnIndirect, GetTextMetricsA, ExcludeClipRect, GetClipBox, ScaleWindowExtEx, SetWindowExtEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SetMapMode, SetROP2, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, RoundRect, GetCurrentObject, DPtoLP, LPtoDP, Rectangle, Ellipse, CreateCompatibleDC, GetPixel, BitBlt, StartPage, StartDocA, DeleteDC, EndDoc, EndPage, GetObjectA, GetStockObject, CreateFontIndirectA, SetPolyFillMode, RestoreDC, SaveDC, CreateSolidBrush, FillRgn, CreateRectRgn, CombineRgn, PatBlt, CreatePen, SelectObject, CreateBitmap, CreateDCA, CreateCompatibleBitmap, GetPolyFillMode, GetStretchBltMode, GetROP2, GetBkColor, GetBkMode, CreateDIBitmap, GetTextColor
                                                MSIMG32.dllGradientFill
                                                WINSPOOL.DRVOpenPrinterA, DocumentPropertiesA, ClosePrinter
                                                ADVAPI32.dllRegQueryValueExA, RegOpenKeyExA, RegSetValueExA, RegDeleteValueA, RegQueryValueA, RegCreateKeyExA, RegOpenKeyA, RegCloseKey
                                                SHELL32.dllSHGetSpecialFolderPathA, Shell_NotifyIconA, ShellExecuteA, SHChangeNotify, DragQueryFileA, DragFinish, DragAcceptFiles
                                                ole32.dllCoCreateInstance, CLSIDFromString, OleUninitialize, OleInitialize
                                                OLEAUT32.dllUnRegisterTypeLib, LoadTypeLib, RegisterTypeLib
                                                COMCTL32.dllImageList_Add, ImageList_BeginDrag, ImageList_Create, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_EndDrag, _TrackMouseEvent
                                                WININET.dllInternetCanonicalizeUrlA, InternetCrackUrlA, HttpOpenRequestA, HttpSendRequestA, HttpQueryInfoA, InternetConnectA, InternetSetOptionA, InternetOpenA, InternetCloseHandle, InternetReadFile
                                                comdlg32.dllChooseColorA, GetOpenFileNameA, GetFileTitleA, GetSaveFileNameA
                                                Language of compilation systemCountry where language is spokenMap
                                                ChineseChina
                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 20, 2024 09:21:55.172125101 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:21:55.177090883 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:21:55.178339005 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:21:55.182796001 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:21:55.188004017 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:21:56.255052090 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:21:56.255130053 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:21:56.255186081 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:21:56.255197048 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:21:56.255227089 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:21:56.255254984 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:21:56.255259037 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:21:56.255268097 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:21:56.255295992 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:21:56.255310059 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:21:56.802608967 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:21:56.807595015 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:21:57.212788105 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:21:57.212882042 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:21:59.395895004 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:21:59.404294014 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:21:59.806988001 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:21:59.807051897 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:21:59.807147980 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:21:59.807162046 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:21:59.807174921 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:21:59.807185888 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:21:59.807188034 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:21:59.807221889 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:21:59.807260036 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:21:59.895831108 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:21:59.895893097 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:22:00.076740026 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:22:00.081742048 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:00.486123085 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:00.486296892 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:22:25.024208069 CET4970880192.168.2.842.193.100.57
                                                Nov 20, 2024 09:22:25.032222986 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:25.032375097 CET4970880192.168.2.842.193.100.57
                                                Nov 20, 2024 09:22:25.032537937 CET4970880192.168.2.842.193.100.57
                                                Nov 20, 2024 09:22:25.040297031 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:26.108884096 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:26.108901978 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:26.108916998 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:26.108953953 CET4970880192.168.2.842.193.100.57
                                                Nov 20, 2024 09:22:26.108973980 CET4970880192.168.2.842.193.100.57
                                                Nov 20, 2024 09:22:26.109357119 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:26.109369993 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:26.109380960 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:26.109430075 CET4970880192.168.2.842.193.100.57
                                                Nov 20, 2024 09:22:26.109453917 CET4970880192.168.2.842.193.100.57
                                                Nov 20, 2024 09:22:26.327539921 CET4970880192.168.2.842.193.100.57
                                                Nov 20, 2024 09:22:26.333923101 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:26.777812958 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:26.777919054 CET4970880192.168.2.842.193.100.57
                                                Nov 20, 2024 09:22:28.816766977 CET4970880192.168.2.842.193.100.57
                                                Nov 20, 2024 09:22:28.821995020 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:29.197004080 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:29.197026014 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:29.197037935 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:29.197105885 CET4970880192.168.2.842.193.100.57
                                                Nov 20, 2024 09:22:29.197465897 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:29.197478056 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:29.197524071 CET4970880192.168.2.842.193.100.57
                                                Nov 20, 2024 09:22:29.341614008 CET4970880192.168.2.842.193.100.57
                                                Nov 20, 2024 09:22:29.346695900 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:29.748754025 CET804970842.193.100.57192.168.2.8
                                                Nov 20, 2024 09:22:29.748884916 CET4970880192.168.2.842.193.100.57
                                                Nov 20, 2024 09:23:45.108171940 CET4970480192.168.2.842.193.100.57
                                                Nov 20, 2024 09:23:45.113562107 CET804970442.193.100.57192.168.2.8
                                                Nov 20, 2024 09:23:45.113646984 CET4970480192.168.2.842.193.100.57
                                                • 42.193.100.57
                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.84970442.193.100.57805800C:\Users\user\Desktop\S4.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 20, 2024 09:21:55.182796001 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                Accept: */*
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                Host: 42.193.100.57
                                                Cache-Control: no-cache
                                                Nov 20, 2024 09:21:56.255052090 CET1236INHTTP/1.1 200 OK
                                                Content-Type: text/plain
                                                Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                Accept-Ranges: bytes
                                                ETag: "c04e101e3bdb1:0"
                                                Server: Microsoft-IIS/8.5
                                                Date: Wed, 20 Nov 2024 08:21:55 GMT
                                                Content-Length: 5139
                                                Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                Nov 20, 2024 09:21:56.255186081 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                Data Ascii: T4
                                                Nov 20, 2024 09:21:56.255197048 CET448INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                                                Data Ascii: 2III322
                                                Nov 20, 2024 09:21:56.255254984 CET1236INData Raw: 0d 0a cb e9 bf d5 d6 f7 d4 d7 0d 0a 38 2e 32 36 d7 a2 d2 e2 ca c2 cf ee 0d 0a bd f8 bb af d2 bb cd b7 d6 ed 0d 0a d2 bb b8 f9 cf c9 bc f5 c9 d9 d5 bd c1 a6 0d 0a c9 a5 ca ac b3 f6 c1 fd 0d 0a c3 fe d3 e3 b7 e8 bf f1 cc d4 bd f0 0d 0a d2 bb b8 f9
                                                Data Ascii: 8.264FORPG2
                                                Nov 20, 2024 09:21:56.255268097 CET1207INData Raw: cc ec d6 ae e1 db 0d 0a c4 a7 ca de d5 f7 d5 bd ca a6 0d 0a d5 da cc ec c8 fd b2 bf c7 fa 0d 0a cb de c3 fc c2 d6 bb d8 0d 0a ce e1 c3 fb ce aa bb c4 0d 0a df c7 df c7 c2 d2 c9 b1 0d 0a c9 a5 ca ac b5 ba 0d 0a d2 bb bf c3 ca f7 0d 0a d2 bb b8 f9
                                                Data Ascii: X222ORPG
                                                Nov 20, 2024 09:21:56.802608967 CET148OUTGET /123.txt HTTP/1.1
                                                Accept: */*
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                Host: 42.193.100.57
                                                Cache-Control: no-cache
                                                Nov 20, 2024 09:21:57.212788105 CET435INHTTP/1.1 200 OK
                                                Content-Type: text/plain
                                                Last-Modified: Sun, 17 Nov 2024 14:06:42 GMT
                                                Accept-Ranges: bytes
                                                ETag: "9cdfe1edf938db1:0"
                                                Server: Microsoft-IIS/8.5
                                                Date: Wed, 20 Nov 2024 08:21:57 GMT
                                                Content-Length: 210
                                                Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 0d 0a b5 b6 b5 b6 bd f8 bb af 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a b7 a5 c4 be c9 fa b4 e6 0d 0a cc a4 cb e9 c8 fd bd e7 0d 0a d1 f8 bc a6 c9 fa b4 e6 0d 0a d2 bb c9 ed c9 f1 d7 b0 33 0d 0a b7 e7 c6 f0 0d 0a ca ae b5 ee d1 d6 c2 de 32 0d 0a d3 a2 c1 e9 b4 ab cb b5 0d 0a d2 bb d2 b6 d5 da cc ec 0d 0a cc ec bd a3 c8 fd b9 fa 0d 0a bd d6 bb fa c2 d2 b6 b7 54 44 0d 0a cf c9 c8 cb d6 ae c9 cf 0d 0a b2 bb cb c0 ce e4 b7 f2 49 49 0d 0a 0d 0a d2 d4 c9 cf b6 bc ca c7 c8 c8 c3 c5 cd bc 0d 0a b5 e3 bb f7 bf c9 d2 d4 bf ec cb d9 d1 a1 cd bc
                                                Data Ascii: 32TDII
                                                Nov 20, 2024 09:21:59.395895004 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                Accept: */*
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                Host: 42.193.100.57
                                                Cache-Control: no-cache
                                                Nov 20, 2024 09:21:59.806988001 CET1236INHTTP/1.1 200 OK
                                                Content-Type: text/plain
                                                Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                Accept-Ranges: bytes
                                                ETag: "c04e101e3bdb1:0"
                                                Server: Microsoft-IIS/8.5
                                                Date: Wed, 20 Nov 2024 08:21:59 GMT
                                                Content-Length: 5139
                                                Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                Nov 20, 2024 09:21:59.807147980 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                Data Ascii: T4
                                                Nov 20, 2024 09:21:59.807162046 CET448INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                                                Data Ascii: 2III322
                                                Nov 20, 2024 09:21:59.807174921 CET1236INData Raw: 0d 0a cb e9 bf d5 d6 f7 d4 d7 0d 0a 38 2e 32 36 d7 a2 d2 e2 ca c2 cf ee 0d 0a bd f8 bb af d2 bb cd b7 d6 ed 0d 0a d2 bb b8 f9 cf c9 bc f5 c9 d9 d5 bd c1 a6 0d 0a c9 a5 ca ac b3 f6 c1 fd 0d 0a c3 fe d3 e3 b7 e8 bf f1 cc d4 bd f0 0d 0a d2 bb b8 f9
                                                Data Ascii: 8.264FORPG2
                                                Nov 20, 2024 09:21:59.807185888 CET116INData Raw: cc ec d6 ae e1 db 0d 0a c4 a7 ca de d5 f7 d5 bd ca a6 0d 0a d5 da cc ec c8 fd b2 bf c7 fa 0d 0a cb de c3 fc c2 d6 bb d8 0d 0a ce e1 c3 fb ce aa bb c4 0d 0a df c7 df c7 c2 d2 c9 b1 0d 0a c9 a5 ca ac b5 ba 0d 0a d2 bb bf c3 ca f7 0d 0a d2 bb b8 f9
                                                Data Ascii: X
                                                Nov 20, 2024 09:21:59.895831108 CET1091INData Raw: 0a ce de cf de bf d6 b2 c0 c2 d6 bb d8 d4 d9 c6 f4 0d 0a cd ea b5 b0 ce d2 b1 bb b9 d6 ce ef b0 fc ce a7 c1 cb 0d 0a b7 c7 b3 a3 c0 a7 c4 d1 b5 c4 cb fe b7 c0 cd bc 0d 0a ca ae b5 ee d1 d6 c2 de 32 0d 0a c9 ee d4 a8 b4 ab cb b5 0d 0a ce d2 b5 c4
                                                Data Ascii: 222ORPGORPGVS2222100
                                                Nov 20, 2024 09:22:00.076740026 CET148OUTGET /123.txt HTTP/1.1
                                                Accept: */*
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                Host: 42.193.100.57
                                                Cache-Control: no-cache
                                                Nov 20, 2024 09:22:00.486123085 CET435INHTTP/1.1 200 OK
                                                Content-Type: text/plain
                                                Last-Modified: Sun, 17 Nov 2024 14:06:42 GMT
                                                Accept-Ranges: bytes
                                                ETag: "9cdfe1edf938db1:0"
                                                Server: Microsoft-IIS/8.5
                                                Date: Wed, 20 Nov 2024 08:21:59 GMT
                                                Content-Length: 210
                                                Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 0d 0a b5 b6 b5 b6 bd f8 bb af 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a b7 a5 c4 be c9 fa b4 e6 0d 0a cc a4 cb e9 c8 fd bd e7 0d 0a d1 f8 bc a6 c9 fa b4 e6 0d 0a d2 bb c9 ed c9 f1 d7 b0 33 0d 0a b7 e7 c6 f0 0d 0a ca ae b5 ee d1 d6 c2 de 32 0d 0a d3 a2 c1 e9 b4 ab cb b5 0d 0a d2 bb d2 b6 d5 da cc ec 0d 0a cc ec bd a3 c8 fd b9 fa 0d 0a bd d6 bb fa c2 d2 b6 b7 54 44 0d 0a cf c9 c8 cb d6 ae c9 cf 0d 0a b2 bb cb c0 ce e4 b7 f2 49 49 0d 0a 0d 0a d2 d4 c9 cf b6 bc ca c7 c8 c8 c3 c5 cd bc 0d 0a b5 e3 bb f7 bf c9 d2 d4 bf ec cb d9 d1 a1 cd bc
                                                Data Ascii: 32TDII


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.84970842.193.100.57805876C:\Users\user\Desktop\S4.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 20, 2024 09:22:25.032537937 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                Accept: */*
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                Host: 42.193.100.57
                                                Cache-Control: no-cache
                                                Nov 20, 2024 09:22:26.108884096 CET1236INHTTP/1.1 200 OK
                                                Content-Type: text/plain
                                                Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                Accept-Ranges: bytes
                                                ETag: "c04e101e3bdb1:0"
                                                Server: Microsoft-IIS/8.5
                                                Date: Wed, 20 Nov 2024 08:22:26 GMT
                                                Content-Length: 5139
                                                Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                Nov 20, 2024 09:22:26.108901978 CET224INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                Data Ascii: T4
                                                Nov 20, 2024 09:22:26.108916998 CET1236INData Raw: 0d 0a ce d2 d2 aa b4 f2 bd a9 ca ac 0d 0a d2 bb c9 ed d1 fd d7 b0 0d 0a ce d2 c4 dc b4 b3 bc b8 b9 d8 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 0d 0a bf aa cf e4 c9 fa b4 e6 0d 0a ca ae b5 ee d1 d6 c2 de 32 b2 e2 ca d4 0d 0a c6 e5 c5 cc ce
                                                Data Ascii: 2II2T
                                                Nov 20, 2024 09:22:26.109357119 CET1236INData Raw: ae c3 fc d4 cb 0d 0a ca ae b5 ee d1 d6 c2 de 32 d7 a8 cb a2 c8 a8 cf de 0d 0a d0 a1 d0 a1 bd a3 ca a5 d7 a8 cb a2 c8 a8 cf de 0d 0a d2 bb c4 ee cd a8 cc ec d7 a8 cb a2 c8 a8 cf de 0d 0a cb c4 c9 fa ca d3 bd e7 d7 a8 cb a2 c8 a8 cf de 0d 0a b7 e7
                                                Data Ascii: 2F38.26
                                                Nov 20, 2024 09:22:26.109369993 CET1236INData Raw: af 0d 0a b7 e8 bf f1 b4 f2 bd f0 0d 0a cc b0 c0 b7 bf f3 bf d3 0d 0a c7 f3 cf c9 cc ec b5 c0 54 44 0d 0a b3 d4 ca e9 c9 fa b4 e6 0d 0a ba da bb ea c6 f4 ca be c2 bc 0d 0a ce d2 d4 da c3 f7 c4 a9 b5 b1 bd ab be fc 0d 0a be f8 ca c0 ce e4 bb ea 0d
                                                Data Ascii: TD7
                                                Nov 20, 2024 09:22:26.109380960 CET195INData Raw: d2 bb c9 ed c9 f1 d7 b0 33 0d 0a cc a4 cb e9 c8 fd bd e7 0d 0a d5 b6 d4 c2 cd c0 c1 fa 0d 0a d0 fe bb f0 b2 d4 f1 b7 0d 0a d3 a2 d0 db c2 b7 0d 0a be fc cd c5 d5 bd d5 f9 35 0d 0a b0 b5 ba da d1 ad bb b7 c8 a6 0d 0a c3 ce bc a3 c9 b3 ba d3 32 0d
                                                Data Ascii: 35222
                                                Nov 20, 2024 09:22:26.327539921 CET148OUTGET /123.txt HTTP/1.1
                                                Accept: */*
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                Host: 42.193.100.57
                                                Cache-Control: no-cache
                                                Nov 20, 2024 09:22:26.777812958 CET435INHTTP/1.1 200 OK
                                                Content-Type: text/plain
                                                Last-Modified: Sun, 17 Nov 2024 14:06:42 GMT
                                                Accept-Ranges: bytes
                                                ETag: "9cdfe1edf938db1:0"
                                                Server: Microsoft-IIS/8.5
                                                Date: Wed, 20 Nov 2024 08:22:26 GMT
                                                Content-Length: 210
                                                Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 0d 0a b5 b6 b5 b6 bd f8 bb af 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a b7 a5 c4 be c9 fa b4 e6 0d 0a cc a4 cb e9 c8 fd bd e7 0d 0a d1 f8 bc a6 c9 fa b4 e6 0d 0a d2 bb c9 ed c9 f1 d7 b0 33 0d 0a b7 e7 c6 f0 0d 0a ca ae b5 ee d1 d6 c2 de 32 0d 0a d3 a2 c1 e9 b4 ab cb b5 0d 0a d2 bb d2 b6 d5 da cc ec 0d 0a cc ec bd a3 c8 fd b9 fa 0d 0a bd d6 bb fa c2 d2 b6 b7 54 44 0d 0a cf c9 c8 cb d6 ae c9 cf 0d 0a b2 bb cb c0 ce e4 b7 f2 49 49 0d 0a 0d 0a d2 d4 c9 cf b6 bc ca c7 c8 c8 c3 c5 cd bc 0d 0a b5 e3 bb f7 bf c9 d2 d4 bf ec cb d9 d1 a1 cd bc
                                                Data Ascii: 32TDII
                                                Nov 20, 2024 09:22:28.816766977 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                Accept: */*
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                Host: 42.193.100.57
                                                Cache-Control: no-cache
                                                Nov 20, 2024 09:22:29.197004080 CET1236INHTTP/1.1 200 OK
                                                Content-Type: text/plain
                                                Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                Accept-Ranges: bytes
                                                ETag: "c04e101e3bdb1:0"
                                                Server: Microsoft-IIS/8.5
                                                Date: Wed, 20 Nov 2024 08:22:29 GMT
                                                Content-Length: 5139
                                                Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                Nov 20, 2024 09:22:29.197026014 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                Data Ascii: T4
                                                Nov 20, 2024 09:22:29.197037935 CET1236INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                                                Data Ascii: 2III322
                                                Nov 20, 2024 09:22:29.197465897 CET672INData Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae
                                                Data Ascii: ORPG2
                                                Nov 20, 2024 09:22:29.197478056 CET983INData Raw: c2 bd 4f 52 50 47 b6 a8 d6 c6 0d 0a b6 b7 bb ea b4 f3 c2 bd 4f 52 50 47 b3 c9 be cd 0d 0a bf e0 b9 a4 56 53 cb c2 c9 ae 32 0d 0a ce fc d1 aa b9 ed d0 d2 b4 e6 d5 df 32 0d 0a be d9 c9 f1 ce aa b5 d0 32 0d 0a b5 f6 d3 e3 c9 fa b4 e6 0d 0a ba da c9
                                                Data Ascii: ORPGORPGVS2222100TD
                                                Nov 20, 2024 09:22:29.341614008 CET148OUTGET /123.txt HTTP/1.1
                                                Accept: */*
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                Host: 42.193.100.57
                                                Cache-Control: no-cache
                                                Nov 20, 2024 09:22:29.748754025 CET435INHTTP/1.1 200 OK
                                                Content-Type: text/plain
                                                Last-Modified: Sun, 17 Nov 2024 14:06:42 GMT
                                                Accept-Ranges: bytes
                                                ETag: "9cdfe1edf938db1:0"
                                                Server: Microsoft-IIS/8.5
                                                Date: Wed, 20 Nov 2024 08:22:29 GMT
                                                Content-Length: 210
                                                Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 0d 0a b5 b6 b5 b6 bd f8 bb af 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a b7 a5 c4 be c9 fa b4 e6 0d 0a cc a4 cb e9 c8 fd bd e7 0d 0a d1 f8 bc a6 c9 fa b4 e6 0d 0a d2 bb c9 ed c9 f1 d7 b0 33 0d 0a b7 e7 c6 f0 0d 0a ca ae b5 ee d1 d6 c2 de 32 0d 0a d3 a2 c1 e9 b4 ab cb b5 0d 0a d2 bb d2 b6 d5 da cc ec 0d 0a cc ec bd a3 c8 fd b9 fa 0d 0a bd d6 bb fa c2 d2 b6 b7 54 44 0d 0a cf c9 c8 cb d6 ae c9 cf 0d 0a b2 bb cb c0 ce e4 b7 f2 49 49 0d 0a 0d 0a d2 d4 c9 cf b6 bc ca c7 c8 c8 c3 c5 cd bc 0d 0a b5 e3 bb f7 bf c9 d2 d4 bf ec cb d9 d1 a1 cd bc
                                                Data Ascii: 32TDII


                                                Click to jump to process

                                                Click to jump to process

                                                Click to dive into process behavior distribution

                                                Click to jump to process

                                                Target ID:0
                                                Start time:03:21:44
                                                Start date:20/11/2024
                                                Path:C:\Users\user\Desktop\S4.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\S4.exe"
                                                Imagebase:0x400000
                                                File size:4'952'064 bytes
                                                MD5 hash:E1CDD1C7FAF2A7E52420B5B2F0ACBBBB
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:false

                                                Target ID:5
                                                Start time:03:22:19
                                                Start date:20/11/2024
                                                Path:C:\Users\user\Desktop\S4.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\S4.exe"
                                                Imagebase:0x400000
                                                File size:4'952'064 bytes
                                                MD5 hash:E1CDD1C7FAF2A7E52420B5B2F0ACBBBB
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:false

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:7.9%
                                                  Dynamic/Decrypted Code Coverage:52.3%
                                                  Signature Coverage:30.1%
                                                  Total number of Nodes:654
                                                  Total number of Limit Nodes:32
                                                  execution_graph 23935 10027c00 GetProcessHeap HeapReAlloc HeapAlloc 23939 10027008 6 API calls 23941 10029610 FreeLibrary 24000 10026f15 21 API calls 23944 10027218 30 API calls 23945 10026c1e 22 API calls 23946 1001221f 70 API calls 23950 10026e2e 34 API calls 24005 10026f34 34 API calls 24006 10026d35 85 API calls 23953 100249fb 24 API calls 24008 4b5570 HeapFree 23954 10026c3d 21 API calls 23153 10027c40 23154 10027c86 23153->23154 23155 10027c4d 23153->23155 23156 10027c56 23155->23156 23157 10027c5b 23155->23157 23161 10027ae0 GetModuleHandleA 23156->23161 23157->23154 23159 10027c6b IsBadReadPtr 23157->23159 23159->23154 23160 10027c78 RtlFreeHeap 23159->23160 23160->23154 23161->23157 24012 4b5300 132 API calls 23162 10027a50 23163 10027a61 23162->23163 23164 10027a8a 23162->23164 23163->23164 23165 10027a64 23163->23165 23180 10026b52 ReleaseMutex 23164->23180 23174 10027aa0 GetProcessHeap 23165->23174 23168 10027a9b 23173 10027a85 23175 10027a6f 23174->23175 23176 10029790 23175->23176 23181 10027474 23176->23181 23179 10026b52 ReleaseMutex 23179->23173 23180->23168 23182 1002747c 23181->23182 23185 10018a96 23182->23185 23184 10027481 23184->23179 23186 10018aab 23185->23186 23189 10018ad3 23186->23189 23188 10018ab0 23188->23184 23190 10018aee 23189->23190 23236 10018eea CreateMutexA 23190->23236 23192 10018af3 23193 10018eea CreateMutexA 23192->23193 23194 10018afd HeapCreate 23193->23194 23195 10018b23 23194->23195 23196 10018b3a HeapCreate 23194->23196 23195->23196 23198 10018b60 23196->23198 23238 1000188f 23198->23238 23199 10018bc0 23244 1000b61e 23199->23244 23201 10018bdc 23202 1000188f 17 API calls 23201->23202 23203 10018c3b 23202->23203 23204 1000b61e 7 API calls 23203->23204 23205 10018c57 23204->23205 23206 1000188f 17 API calls 23205->23206 23207 10018cb6 23206->23207 23208 1000b61e 7 API calls 23207->23208 23209 10018cd2 23208->23209 23210 1000188f 17 API calls 23209->23210 23211 10018d31 23210->23211 23212 1000b61e 7 API calls 23211->23212 23213 10018d4d 23212->23213 23214 1000188f 17 API calls 23213->23214 23215 10018dac 23214->23215 23216 1000b61e 7 API calls 23215->23216 23217 10018dc8 23216->23217 23250 1000710e 23217->23250 23219 10018df2 23260 10018f34 23219->23260 23221 10018dfc 23274 100191e3 23221->23274 23223 10018e06 23286 1000ff10 23223->23286 23225 10018e37 23295 100114f9 23225->23295 23227 10018e43 23228 1000ff10 18 API calls 23227->23228 23229 10018e8f 23228->23229 23230 100114f9 18 API calls 23229->23230 23231 10018e9b 23230->23231 23301 10019f4c 23231->23301 23235 10018ecc 23235->23188 23237 10018f14 23236->23237 23237->23192 23240 100018bd 23238->23240 23239 10001ac2 23312 100283f0 23239->23312 23240->23239 23339 10028090 _CIfmod 23240->23339 23243 10001ae8 23243->23199 23245 1000b631 23244->23245 23351 1000b75c 23245->23351 23247 1000b65c 23248 1000b6cb LdrGetDllHandleEx 23247->23248 23249 1000b6ee 23248->23249 23249->23201 23251 10007121 23250->23251 23252 100071de GetVersionExA 23251->23252 23253 10007273 23252->23253 23374 10027ca0 23253->23374 23255 100072d2 23256 10007362 GetSystemInfo 23255->23256 23259 100074c6 23255->23259 23257 100073f5 23256->23257 23258 10007495 RtlGetNtVersionNumbers 23257->23258 23258->23259 23259->23219 23261 10018f4e 23260->23261 23263 10018f7e 23261->23263 23382 100289c0 23261->23382 23263->23221 23264 10018fad 23265 1000b61e 7 API calls 23264->23265 23266 10019053 23265->23266 23267 1000188f 17 API calls 23266->23267 23268 10019077 23267->23268 23269 10019081 23268->23269 23387 10006051 LdrGetProcedureAddress 23269->23387 23271 100190a4 23273 1001918a 23271->23273 23388 10001d56 IsBadCodePtr 23271->23388 23273->23263 23275 10019205 23274->23275 23277 10019212 23275->23277 23390 100188e1 23275->23390 23277->23223 23278 10019221 23395 100193c2 23278->23395 23280 100192bd 23281 100193c2 38 API calls 23280->23281 23282 10019331 23281->23282 23415 100198cc 25 API calls 23282->23415 23284 1001936a 23416 100198cc 25 API calls 23284->23416 23438 10027f20 23286->23438 23288 1000ff39 23289 10027f20 4 API calls 23288->23289 23290 1000ff58 23289->23290 23291 1000ffe0 RtlComputeCrc32 23290->23291 23292 10010003 23291->23292 23451 10010057 23292->23451 23294 10010034 23294->23225 23296 1001150f 23295->23296 23300 10011520 23295->23300 23297 1000188f 17 API calls 23296->23297 23297->23300 23298 10001d56 IsBadCodePtr 23299 1001161a 23298->23299 23299->23227 23300->23298 23302 10018ec7 23301->23302 23303 10019f74 23301->23303 23311 1001a236 47 API calls 23302->23311 23474 10019ff3 23303->23474 23307 10019fd3 23483 10007fdd 23307->23483 23309 10019fa2 23309->23307 23310 1001a0ce 21 API calls 23309->23310 23310->23309 23311->23235 23313 10028478 23312->23313 23320 1002840f 23312->23320 23314 10028483 23313->23314 23315 10028574 23313->23315 23316 10028489 23314->23316 23317 1002854f sprintf 23314->23317 23318 100285f2 23315->23318 23319 1002857b 23315->23319 23325 10028517 23316->23325 23326 100284f9 23316->23326 23327 1002858f sprintf 23316->23327 23331 1002849e 23316->23331 23338 10028674 23316->23338 23317->23331 23321 1002862a sprintf 23318->23321 23322 100285f9 23318->23322 23323 100285ce sprintf 23319->23323 23324 1002857d 23319->23324 23320->23338 23340 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23320->23340 23321->23331 23330 10028604 sprintf 23322->23330 23322->23338 23323->23331 23328 10028584 23324->23328 23329 100285ae sprintf 23324->23329 23342 10029dc0 6 API calls 23325->23342 23341 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23326->23341 23327->23331 23328->23327 23328->23338 23329->23331 23330->23331 23331->23338 23343 10027bb0 23331->23343 23335 10028469 23335->23243 23336 10028508 23336->23243 23338->23243 23339->23240 23340->23335 23341->23336 23342->23331 23344 10027bc4 RtlAllocateHeap 23343->23344 23345 10027bb9 GetProcessHeap 23343->23345 23346 10027bf5 23344->23346 23347 10027bd9 MessageBoxA 23344->23347 23345->23344 23346->23338 23350 10027b10 ExitProcess 23347->23350 23349 10027bf2 23349->23346 23350->23349 23352 1000b76f 23351->23352 23355 1000210d 23352->23355 23354 1000b7c1 23354->23247 23356 1000212e 23355->23356 23357 10002149 MultiByteToWideChar 23356->23357 23358 10002178 23357->23358 23366 100021b9 23358->23366 23367 100280c0 23358->23367 23360 100021dc 23361 1000220e MultiByteToWideChar 23360->23361 23362 10002239 23361->23362 23362->23366 23372 100286c0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23362->23372 23364 100022ce 23364->23366 23373 100286f0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23364->23373 23366->23354 23368 100280c9 23367->23368 23369 100280cd 23367->23369 23368->23360 23370 10027bb0 4 API calls 23369->23370 23371 100280d6 23370->23371 23371->23360 23372->23364 23373->23366 23375 10027cb1 23374->23375 23378 10027cb6 23374->23378 23381 10027ae0 GetModuleHandleA 23375->23381 23377 10027d14 23377->23255 23378->23377 23378->23378 23379 10027bb0 4 API calls 23378->23379 23380 10027cf9 23379->23380 23380->23255 23381->23378 23383 100289c9 23382->23383 23384 100289cd 23382->23384 23383->23264 23385 10027bb0 4 API calls 23384->23385 23386 100289d8 23385->23386 23386->23264 23387->23271 23389 10001d82 23388->23389 23389->23273 23391 100289c0 4 API calls 23390->23391 23392 1001890c 23391->23392 23393 10018926 GetSystemDirectoryA 23392->23393 23394 10018944 23393->23394 23394->23278 23396 100193ea 23395->23396 23417 100294c0 23396->23417 23398 10019463 23399 1001947d CopyFileA 23398->23399 23400 100194a0 23399->23400 23424 10028d40 CreateFileA 23400->23424 23402 100194da 23403 10028d40 8 API calls 23402->23403 23404 10019550 23402->23404 23403->23404 23429 10028e50 DeleteFileA 23404->23429 23406 1001959d 23430 10006495 23406->23430 23408 100195b3 23409 100195e3 RtlAllocateHeap 23408->23409 23412 10019832 23408->23412 23410 1001960e 23409->23410 23436 10008edd 26 API calls 23410->23436 23412->23280 23414 1001966e 23437 100094fb 26 API calls 23414->23437 23415->23284 23416->23277 23418 100294d1 GetTempPathA 23417->23418 23419 100294e5 23417->23419 23418->23419 23420 10029543 GetTickCount wsprintfA PathFileExistsA 23419->23420 23420->23420 23421 1002956b 23420->23421 23422 10027bb0 4 API calls 23421->23422 23423 1002957f 23422->23423 23423->23398 23425 10028d64 GetFileSize 23424->23425 23426 10028da9 23424->23426 23427 10027bb0 4 API calls 23425->23427 23426->23402 23428 10028d7d ReadFile CloseHandle 23427->23428 23428->23426 23429->23406 23431 100064ad 23430->23431 23432 1000652f RtlMoveMemory 23431->23432 23435 1000679e 23431->23435 23433 10006669 23432->23433 23434 10027ca0 5 API calls 23433->23434 23434->23435 23435->23408 23436->23414 23437->23412 23439 10027f40 23438->23439 23441 10027f4c 23439->23441 23442 10027f80 23439->23442 23440 10027feb 23440->23288 23459 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23441->23459 23442->23440 23443 10027f9b 23442->23443 23446 10027fc2 23442->23446 23460 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23443->23460 23461 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23446->23461 23447 10027f76 23447->23288 23448 10027fb8 23448->23288 23450 10027fe1 23450->23288 23452 1001006f 23451->23452 23453 100283f0 16 API calls 23452->23453 23454 10010097 23453->23454 23462 10028ad0 23454->23462 23456 100100cc 23469 10028b30 23456->23469 23458 10010173 23458->23294 23459->23447 23460->23448 23461->23450 23463 10028b23 23462->23463 23464 10028ae4 23462->23464 23463->23456 23464->23463 23465 10027bb0 4 API calls 23464->23465 23466 10028afa 23465->23466 23467 10028b05 strncpy 23466->23467 23468 10028b19 23466->23468 23467->23467 23467->23468 23468->23456 23470 10028b91 23469->23470 23471 10028b45 23469->23471 23470->23458 23471->23470 23472 10027bb0 4 API calls 23471->23472 23473 10028b68 23472->23473 23473->23458 23475 1001a00d 23474->23475 23488 1001a031 23475->23488 23478 1001a0ce 23479 10027f20 4 API calls 23478->23479 23480 1001a0f7 23479->23480 23503 1001a199 23480->23503 23482 1001a16d 23482->23309 23484 100280c0 4 API calls 23483->23484 23485 1000800f 23484->23485 23514 10007db8 23485->23514 23487 10008052 23487->23302 23489 1001a047 23488->23489 23497 1001a0a1 23488->23497 23490 1000188f 17 API calls 23489->23490 23492 1001a058 23490->23492 23502 100031b3 6 API calls 23492->23502 23493 10019f88 23493->23302 23493->23478 23495 1001a087 InterlockedExchange 23495->23497 23496 1001a074 23496->23495 23498 10004b1b 23497->23498 23499 10004b3d 23498->23499 23500 10004b2e 23498->23500 23499->23500 23501 10004baa LdrInitializeThunk 23499->23501 23500->23493 23501->23493 23502->23496 23504 1001a1af 23503->23504 23512 1001a209 23503->23512 23506 1000188f 17 API calls 23504->23506 23505 10004b1b LdrInitializeThunk 23507 1001a22b 23505->23507 23508 1001a1c0 23506->23508 23507->23482 23513 100031b3 6 API calls 23508->23513 23510 1001a1ef InterlockedExchange 23510->23512 23511 1001a1dc 23511->23510 23512->23505 23513->23511 23515 10007dce 23514->23515 23523 10007e28 23514->23523 23516 1000188f 17 API calls 23515->23516 23520 10007ddf 23516->23520 23517 10004b1b LdrInitializeThunk 23518 10007e4a 23517->23518 23518->23487 23524 100031b3 6 API calls 23520->23524 23521 10007dfb 23522 10007e0e InterlockedExchange 23521->23522 23522->23523 23523->23517 23524->23521 23958 10027050 62 API calls 24013 10011753 DispatchMessageA CallWindowProcA 23746 498c20 23747 498c2c 23746->23747 23752 498c3c 23746->23752 23755 498cf0 7 API calls 23747->23755 23749 498c36 23750 498cba RtlAllocateHeap 23753 498cd1 23750->23753 23751 498caf GetProcessHeap 23751->23750 23752->23750 23752->23751 23754 498c44 23752->23754 23755->23749 23756 4b5320 23759 4ade10 23756->23759 23758 4b533d 23760 4ade50 23759->23760 23761 4ade54 23760->23761 23764 4ade7c 23760->23764 23795 4ad090 132 API calls 23761->23795 23763 4ade61 23763->23758 23772 4adf5b IsWindow 23764->23772 23773 4adf69 23764->23773 23776 4adead 23764->23776 23765 4adf8b 23768 4adf90 GetWindowRect GetParent 23765->23768 23782 4aded9 23765->23782 23766 4ae00c 23770 4ae011 GetWindowRect 23766->23770 23766->23782 23767 4ae0a7 23771 4ae0ac IsWindowVisible 23767->23771 23767->23782 23796 52e2ad 65 API calls 23768->23796 23770->23782 23771->23782 23772->23773 23773->23776 23777 4ae1d7 23773->23777 23774 4ae245 23774->23758 23776->23765 23776->23766 23776->23767 23776->23782 23779 4ae1ea 23777->23779 23798 4ad090 132 API calls 23777->23798 23778 4adfaf 23778->23782 23797 530b17 GetWindowLongA 23778->23797 23784 4ae730 23779->23784 23799 498e00 GetProcessHeap HeapFree 23782->23799 23785 4ae760 23784->23785 23790 4ae76b 23784->23790 23786 4ae8ae 23785->23786 23787 4ae884 23785->23787 23785->23790 23792 4ae7ee 23785->23792 23786->23790 23800 4b5470 RtlAllocateHeap 23786->23800 23787->23786 23789 4ae894 GetStockObject GetObjectA 23787->23789 23789->23786 23790->23782 23791 4ae8ca 23791->23782 23792->23790 23804 498e00 GetProcessHeap HeapFree 23792->23804 23794 4ae85d 23794->23782 23795->23763 23796->23778 23797->23782 23798->23779 23799->23774 23801 4b5499 23800->23801 23802 4b5490 23800->23802 23801->23791 23805 4ad060 133 API calls 23802->23805 23804->23794 23805->23801 23909 52c63e 23912 51c03e 23909->23912 23913 51c118 23912->23913 23914 51c06c 23912->23914 23915 51c0b1 23914->23915 23916 51c076 23914->23916 23926 51c0a2 23915->23926 23932 522f64 29 API calls 23915->23932 23929 522f64 29 API calls 23916->23929 23918 51c10a RtlFreeHeap 23918->23913 23920 51c07d 23921 51c097 23920->23921 23930 5241e8 VirtualFree VirtualFree HeapFree 23920->23930 23931 51c0a8 LeaveCriticalSection 23921->23931 23922 51c0bd 23923 51c0e9 23922->23923 23933 524f6f VirtualFree HeapFree VirtualFree 23922->23933 23934 51c100 LeaveCriticalSection 23923->23934 23926->23913 23926->23918 23929->23920 23930->23921 23931->23926 23932->23922 23933->23923 23934->23926 23962 1002706f 46 API calls 24019 10026d73 88 API calls 24020 10026b71 23 API calls 24022 1002572d 23 API calls 23525 51c127 23528 51c139 23525->23528 23529 51c136 23528->23529 23531 51c140 23528->23531 23531->23529 23532 51c165 23531->23532 23533 51c192 23532->23533 23534 51c1d5 23532->23534 23546 51c1c0 23533->23546 23550 522f64 29 API calls 23533->23550 23539 51c1f7 23534->23539 23534->23546 23536 51c244 RtlAllocateHeap 23538 51c1c7 23536->23538 23537 51c1a8 23551 524511 HeapReAlloc HeapAlloc VirtualAlloc HeapFree VirtualAlloc 23537->23551 23538->23531 23553 522f64 29 API calls 23539->23553 23542 51c1b3 23552 51c1cc LeaveCriticalSection 23542->23552 23543 51c1fe 23554 524fb4 6 API calls 23543->23554 23546->23536 23546->23538 23547 51c211 23555 51c22b LeaveCriticalSection 23547->23555 23549 51c21e 23549->23538 23549->23546 23550->23537 23551->23542 23552->23546 23553->23543 23554->23547 23555->23549 23556 51a829 GetVersion 23588 5208a8 HeapCreate 23556->23588 23558 51a887 23559 51a894 23558->23559 23560 51a88c 23558->23560 23600 520665 37 API calls 23559->23600 23608 51a956 8 API calls 23560->23608 23564 51a899 23565 51a8a5 23564->23565 23566 51a89d 23564->23566 23601 5204a9 34 API calls 23565->23601 23609 51a956 8 API calls 23566->23609 23570 51a8af GetCommandLineA 23602 520377 37 API calls 23570->23602 23572 51a8bf 23610 52012a 49 API calls 23572->23610 23574 51a8c9 23603 520071 48 API calls 23574->23603 23576 51a8ce 23577 51a8d3 GetStartupInfoA 23576->23577 23604 520019 48 API calls 23577->23604 23579 51a8e5 23580 51a8ee 23579->23580 23581 51a8f7 GetModuleHandleA 23580->23581 23605 52a18e 23581->23605 23585 51a912 23612 51fea1 36 API calls 23585->23612 23587 51a923 23589 5208c8 23588->23589 23590 5208fe 23588->23590 23613 520760 57 API calls 23589->23613 23590->23558 23592 5208cd 23593 5208d7 23592->23593 23594 5208e4 23592->23594 23614 524175 HeapAlloc 23593->23614 23595 520901 23594->23595 23615 524cbc HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 23594->23615 23595->23558 23597 5208e1 23597->23595 23599 5208f2 HeapDestroy 23597->23599 23599->23590 23600->23564 23601->23570 23602->23572 23603->23576 23604->23579 23616 5328b4 23605->23616 23610->23574 23611 51efd4 32 API calls 23611->23585 23612->23587 23613->23592 23614->23597 23615->23597 23627 531612 23616->23627 23624 51a909 23624->23611 23625 5328fb 23655 537860 68 API calls 23625->23655 23656 53620e 23627->23656 23630 531623 23632 5361e8 23630->23632 23631 5361e8 65 API calls 23631->23630 23633 536770 65 API calls 23632->23633 23634 5361f7 23633->23634 23635 5328c6 23634->23635 23685 536805 23634->23685 23637 537039 SetErrorMode SetErrorMode 23635->23637 23638 5361e8 65 API calls 23637->23638 23639 537050 23638->23639 23640 5361e8 65 API calls 23639->23640 23641 53705f 23640->23641 23642 537085 23641->23642 23693 53709c 23641->23693 23644 5361e8 65 API calls 23642->23644 23645 53708a 23644->23645 23646 5328de 23645->23646 23712 531627 23645->23712 23646->23625 23648 52c741 23646->23648 23651 52c756 23648->23651 23652 52c74d 23648->23652 23649 52c75e 23736 51a6ad 23649->23736 23651->23649 23653 52c79d 23651->23653 23652->23625 23743 52c615 29 API calls 23653->23743 23655->23624 23657 5361e8 65 API calls 23656->23657 23658 536213 23657->23658 23661 536770 23658->23661 23662 5367a6 TlsGetValue 23661->23662 23663 536779 23661->23663 23665 5367b9 23662->23665 23664 536793 23663->23664 23682 536370 65 API calls 23663->23682 23672 536409 EnterCriticalSection 23664->23672 23667 531617 23665->23667 23668 5367cc 23665->23668 23667->23630 23667->23631 23683 536578 65 API calls 23668->23683 23670 5367a4 23670->23662 23677 536428 23672->23677 23673 5364e4 23674 5364f9 LeaveCriticalSection 23673->23674 23674->23670 23675 536462 GlobalAlloc 23678 536497 23675->23678 23676 536475 GlobalHandle GlobalUnlock GlobalReAlloc 23676->23678 23677->23673 23677->23675 23677->23676 23679 5364c0 GlobalLock 23678->23679 23680 5364a5 GlobalHandle GlobalLock LeaveCriticalSection 23678->23680 23679->23673 23684 52a924 65 API calls __EH_prolog 23680->23684 23682->23664 23683->23667 23684->23679 23686 53680f __EH_prolog 23685->23686 23687 53683d 23686->23687 23691 5374b5 6 API calls 23686->23691 23687->23635 23689 536826 23692 537525 LeaveCriticalSection 23689->23692 23691->23689 23692->23687 23694 5361e8 65 API calls 23693->23694 23695 5370af GetModuleFileNameA 23694->23695 23723 51c7f7 29 API calls 23695->23723 23697 5370e1 23724 5371b9 lstrlenA lstrcpynA 23697->23724 23699 5370fd 23700 537113 23699->23700 23729 51ef7c 29 API calls 23699->23729 23711 53714d 23700->23711 23725 53219a 23700->23725 23702 537180 23706 53718f lstrcatA 23702->23706 23708 5371ad 23702->23708 23703 537165 lstrcpyA 23731 51ef7c 29 API calls 23703->23731 23732 51ef7c 29 API calls 23706->23732 23708->23642 23711->23702 23711->23703 23713 5361e8 65 API calls 23712->23713 23714 53162c 23713->23714 23722 531684 23714->23722 23733 535fb6 23714->23733 23717 536805 7 API calls 23718 531662 23717->23718 23719 5361e8 65 API calls 23718->23719 23721 53166f 23718->23721 23719->23721 23720 536770 65 API calls 23720->23722 23721->23720 23722->23646 23723->23697 23724->23699 23726 5361e8 65 API calls 23725->23726 23727 5321a0 LoadStringA 23726->23727 23728 5321bb 23727->23728 23730 51ef7c 29 API calls 23728->23730 23729->23700 23730->23711 23731->23702 23732->23708 23734 536770 65 API calls 23733->23734 23735 531638 GetCurrentThreadId SetWindowsHookExA 23734->23735 23735->23717 23744 51e094 23736->23744 23738 51a6b7 EnterCriticalSection 23739 51a6d5 23738->23739 23740 51a706 LeaveCriticalSection 23738->23740 23745 52c0fe 29 API calls 23739->23745 23740->23652 23742 51a6e7 23742->23740 23743->23652 23744->23738 23745->23742 23964 10026c7b HeapAlloc 24024 10026f7c 45 API calls 23968 1002708e 33 API calls 24028 10027192 59 API calls 24031 10026f9b 23 API calls 23971 10026e99 89 API calls 23974 100274b1 10 API calls 24036 51efe5 32 API calls 23975 535ae6 65 API calls __EH_prolog 23977 1002a472 __CxxFrameHandler 23978 10026eb8 90 API calls 23979 10026cb9 23 API calls 23982 51d694 RtlUnwind 23983 1001a595 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 24039 10026dc5 30 API calls 24040 4ac780 67 API calls 23806 4b4f80 23809 4b4f60 23806->23809 23812 4accc0 23809->23812 23811 4b4f71 23813 4acceb 23812->23813 23814 4acd83 23812->23814 23816 4acd0a 23813->23816 23817 4acd13 GetProcAddress 23813->23817 23815 4ad01c 23814->23815 23818 4acdb1 23814->23818 23893 51b4b8 6 API calls 23814->23893 23815->23811 23889 51b4b8 6 API calls 23816->23889 23822 4acd33 23817->23822 23823 4acd66 23817->23823 23831 4aceef 23818->23831 23834 4acddc 23818->23834 23890 4b6440 37 API calls 23822->23890 23892 4acca0 35 API calls 23823->23892 23826 4acef4 LoadLibraryA 23829 4acf04 GetProcAddress 23826->23829 23826->23831 23827 4acd43 23891 4ad090 132 API calls 23827->23891 23828 4acd6d 23828->23811 23829->23831 23831->23826 23835 4acf4a 23831->23835 23836 4acf36 FreeLibrary 23831->23836 23832 4acd55 23837 52c8d4 32 API calls 23832->23837 23833 4aceba LoadLibraryA 23833->23835 23840 4acec7 GetProcAddress 23833->23840 23834->23833 23838 4ace08 23834->23838 23839 4ace30 23834->23839 23835->23815 23842 4acf5f FreeLibrary 23835->23842 23843 4acf66 23835->23843 23836->23831 23837->23823 23841 52cb1d 38 API calls 23838->23841 23874 52cb1d 23839->23874 23840->23835 23845 4aced7 23840->23845 23846 4ace14 LoadLibraryA 23841->23846 23842->23843 23852 4acfca 23843->23852 23853 4acf77 23843->23853 23845->23835 23848 52c8d4 32 API calls 23846->23848 23851 4ace24 23848->23851 23849 52cb1d 38 API calls 23850 4ace5a LoadLibraryA 23849->23850 23884 52c8d4 23850->23884 23851->23839 23851->23840 23896 4b6440 37 API calls 23852->23896 23894 4b6440 37 API calls 23853->23894 23857 4acf8c 23895 4ad090 132 API calls 23857->23895 23859 4acfde 23897 4ad090 132 API calls 23859->23897 23861 52c8d4 32 API calls 23864 4ace7b 23861->23864 23863 4acfa3 23866 52c8d4 32 API calls 23863->23866 23864->23840 23869 4aceb2 23864->23869 23871 52cb1d 38 API calls 23864->23871 23865 4acff5 23867 52c8d4 32 API calls 23865->23867 23868 4acfb4 23866->23868 23870 4ad006 23867->23870 23868->23811 23869->23833 23869->23840 23870->23811 23872 4acea2 LoadLibraryA 23871->23872 23873 52c8d4 32 API calls 23872->23873 23873->23869 23875 52cb27 __EH_prolog 23874->23875 23876 52cb42 23875->23876 23877 52cb46 lstrlenA 23875->23877 23898 52ca79 23876->23898 23877->23876 23879 52cb64 23902 52c649 23879->23902 23882 52c8d4 32 API calls 23883 4ace46 23882->23883 23883->23849 23885 52c8e4 InterlockedDecrement 23884->23885 23886 4ace6a 23884->23886 23885->23886 23887 52c8f2 23885->23887 23886->23861 23908 52c7c3 31 API calls 23887->23908 23889->23817 23890->23827 23891->23832 23892->23828 23893->23818 23894->23857 23895->23863 23896->23859 23897->23865 23899 52ca8d 23898->23899 23901 52ca93 23898->23901 23900 52c741 31 API calls 23899->23900 23900->23901 23901->23879 23903 52c666 23902->23903 23904 52c658 InterlockedIncrement 23902->23904 23907 52ca11 35 API calls 23903->23907 23906 52c676 23904->23906 23906->23882 23907->23906 23908->23886 24041 4b6d80 MulDiv ReleaseDC 24044 10026bd6 25 API calls 23986 100270d8 28 API calls 23987 10026cd8 22 API calls 24047 10026de4 84 API calls 24051 100291f3 ??3@YAXPAX GetProcessHeap HeapFree 24052 100293f0 ??3@YAXPAX 23993 10026ef6 75 API calls 23994 10026cf7 43 API calls

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 884 4accc0-4acce5 885 4acceb-4accf6 884->885 886 4acd83-4acd92 884->886 887 4accf8-4acd02 885->887 888 4acd05-4acd08 885->888 889 4acd98-4acda8 886->889 890 4ad03f-4ad050 886->890 887->888 891 4acd0a-4acd1b call 51b4b8 888->891 892 4acd1d 888->892 893 4acdaa-4acdb4 call 51b4b8 889->893 894 4acdb9-4acdd6 call 4995c0 889->894 895 4acd1f-4acd31 GetProcAddress 891->895 892->895 893->894 905 4aceef 894->905 906 4acddc-4acdef call 51c4d0 894->906 899 4acd33-4acd61 call 4b6440 call 4ad090 call 52c8d4 895->899 900 4acd66-4acd80 call 4acca0 895->900 899->900 908 4acef4-4acf02 LoadLibraryA 905->908 919 4aceba-4acec1 LoadLibraryA 906->919 920 4acdf5-4ace06 906->920 912 4acf3f-4acf48 908->912 913 4acf04-4acf12 GetProcAddress 908->913 912->908 921 4acf4a-4acf55 912->921 916 4acf2a-4acf34 913->916 917 4acf14-4acf1f 913->917 916->921 923 4acf36-4acf3d FreeLibrary 916->923 917->916 922 4acf21-4acf27 917->922 919->921 929 4acec7-4aced5 GetProcAddress 919->929 925 4ace08-4ace26 call 52cb1d LoadLibraryA call 52c8d4 920->925 926 4ace30-4ace7d call 52cb1d * 2 LoadLibraryA call 52c8d4 * 2 920->926 927 4acf5b-4acf5d 921->927 928 4ad01c-4ad01e 921->928 922->916 923->912 925->929 951 4ace2c 925->951 926->929 963 4ace7f-4ace90 926->963 931 4acf5f-4acf60 FreeLibrary 927->931 932 4acf66-4acf75 call 4995c0 927->932 934 4ad020-4ad02b 928->934 935 4ad036-4ad03c 928->935 929->921 936 4aced7-4acee2 929->936 931->932 947 4acfca-4ad019 call 4b6440 call 4ad090 call 52c8d4 932->947 948 4acf77-4acfc7 call 4b6440 call 4ad090 call 52c8d4 932->948 934->935 940 4ad02d-4ad033 934->940 935->890 936->921 941 4acee4-4aceed 936->941 940->935 941->921 951->926 966 4aceb2-4aceb4 963->966 967 4ace92-4acead call 52cb1d LoadLibraryA call 52c8d4 963->967 966->929 970 4aceb6 966->970 967->966 970->919
                                                  APIs
                                                  • GetProcAddress.KERNEL32(00000000,007A79FC), ref: 004ACD27
                                                  • LoadLibraryA.KERNEL32(?,?,007B80F8), ref: 004ACE17
                                                  • LoadLibraryA.KERNEL32(?,?), ref: 004ACE5D
                                                  • LoadLibraryA.KERNEL32(?,?,007B8000,00000001), ref: 004ACEA5
                                                  • LoadLibraryA.KERNEL32(00000001), ref: 004ACEBB
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 004ACECD
                                                  • FreeLibrary.KERNEL32(00000000), ref: 004ACF60
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: Library$Load$AddressProc$Free
                                                  • String ID: |zy
                                                  • API String ID: 3120990465-1587744962
                                                  • Opcode ID: b482e641d70a4e77d6cac7dcabe48db3b8cab70ccdcf3295712c96e212b09be5
                                                  • Instruction ID: 062bb0e54c7d9c1eaa9a0d998430f1a60a67647b7abcf222d920c93b2b298ce9
                                                  • Opcode Fuzzy Hash: b482e641d70a4e77d6cac7dcabe48db3b8cab70ccdcf3295712c96e212b09be5
                                                  • Instruction Fuzzy Hash: 1BA1E571604702AFD714DF68D881BABB7A4FFA6314F044A2EF81597381D738E905CB96

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1015 100193c2-10019472 call 1002748d * 3 call 100294c0 1024 10019474-1001947a call 10027487 1015->1024 1025 1001947d-1001949e CopyFileA 1015->1025 1024->1025 1027 100194a0-100194b4 call 10027499 1025->1027 1028 100194b7-100194c3 1025->1028 1027->1028 1029 100194c5 1028->1029 1030 100194ca-100194e9 call 10028d40 1028->1030 1029->1030 1036 100194f4-10019504 1030->1036 1037 100194eb-100194f1 call 10027487 1030->1037 1039 10019506 1036->1039 1040 1001950b-10019525 call 10028000 1036->1040 1037->1036 1039->1040 1044 1001952b-10019539 1040->1044 1045 1001956e-10019586 call 1000241a 1040->1045 1047 10019540-1001955f call 10028d40 1044->1047 1048 1001953b 1044->1048 1052 10019588 1045->1052 1053 1001958d-100195b5 call 10028e50 call 10006495 1045->1053 1054 10019561-10019567 call 10027487 1047->1054 1055 1001956a-1001956b 1047->1055 1048->1047 1052->1053 1062 100195d6 1053->1062 1063 100195bb-100195c9 1053->1063 1054->1055 1055->1045 1064 100195db-100195dd 1062->1064 1063->1062 1065 100195cf-100195d4 1063->1065 1066 100195e3-1001960c RtlAllocateHeap 1064->1066 1067 10019832-10019840 1064->1067 1065->1064 1068 10019625-10019688 call 10007b67 call 1002748d call 10008edd call 10027487 1066->1068 1069 1001960e-10019622 call 10027499 1066->1069 1073 10019842-10019848 call 10027487 1067->1073 1074 1001984b-10019850 1067->1074 1102 10019689-10019691 1068->1102 1069->1068 1073->1074 1078 10019852-10019858 call 10027487 1074->1078 1079 1001985b-10019882 call 10027487 * 2 1074->1079 1078->1079 1091 10019895 1079->1091 1092 10019884 1079->1092 1095 1001989b-100198bb call 10027487 * 2 1091->1095 1096 100198bd-100198c9 call 10027487 1091->1096 1094 10019886-1001988a 1092->1094 1099 10019891-10019893 1094->1099 1100 1001988c-1001988f 1094->1100 1095->1096 1099->1091 1100->1094 1103 10019822-1001982d call 100094fb 1102->1103 1104 10019697-100196a5 call 10001000 1102->1104 1103->1067 1112 100196a7-100196bb call 10027499 1104->1112 1113 100196be-100196c2 1104->1113 1112->1113 1115 100196c4-100196d8 call 10027499 1113->1115 1116 100196db-10019736 call 10001b27 call 10001000 1113->1116 1115->1116 1124 10019738-1001974c call 10027499 1116->1124 1125 1001974f-10019753 1116->1125 1124->1125 1127 10019755-10019769 call 10027499 1125->1127 1128 1001976c-100197c7 call 10001b27 call 10001000 1125->1128 1127->1128 1136 100197e0-100197e4 1128->1136 1137 100197c9-100197dd call 10027499 1128->1137 1139 100197e6-100197fa call 10027499 1136->1139 1140 100197fd-1001981d call 10007b67 1136->1140 1137->1136 1139->1140 1140->1102
                                                  APIs
                                                    • Part of subcall function 100294C0: GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                    • Part of subcall function 100294C0: GetTickCount.KERNEL32 ref: 10029543
                                                    • Part of subcall function 100294C0: wsprintfA.USER32 ref: 10029558
                                                    • Part of subcall function 100294C0: PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 10019491
                                                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000000,00000001,?,?,?,00000000), ref: 100195FF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: FilePath$AllocateCopyCountExistsHeapTempTickwsprintf
                                                  • String ID: @
                                                  • API String ID: 183890193-2766056989
                                                  • Opcode ID: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                                                  • Instruction ID: 886d6a9a19e72094fdb0421fea6300c5803c3cbfa718e8e798f15b8255d4c358
                                                  • Opcode Fuzzy Hash: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                                                  • Instruction Fuzzy Hash: 26D142B5E40209ABEB01DFD4DCC2F9EB7B4FF18704F540065F604BA282E776A9548B66

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1295 1000710e-10007271 call 1002748d * 5 GetVersionExA 1306 10007273-10007287 call 10027499 1295->1306 1307 1000728a-100072e2 call 10027ca0 1295->1307 1306->1307 1312 100072f3-100072f9 1307->1312 1313 100072e4 1307->1313 1315 10007300-1000734b call 10027487 1312->1315 1316 100072fb 1312->1316 1314 100072e6-100072ea 1313->1314 1317 100072f1 1314->1317 1318 100072ec-100072ef 1314->1318 1321 10007351-100073f3 call 1002748d GetSystemInfo 1315->1321 1322 100077ad-100077b2 1315->1322 1316->1315 1317->1312 1318->1314 1328 100073f5-10007409 call 10027499 1321->1328 1329 1000740c-100074c4 call 10027487 RtlGetNtVersionNumbers 1321->1329 1323 100077b7-100077f1 call 10027487 * 4 1322->1323 1328->1329 1336 100074c6-100074da call 10027499 1329->1336 1337 100074dd-10007520 1329->1337 1336->1337 1340 10007552-10007556 1337->1340 1341 10007526-1000752a 1337->1341 1347 10007630-10007634 1340->1347 1348 1000755c-10007560 1340->1348 1344 10007530-10007534 1341->1344 1345 1000754d 1341->1345 1351 10007546 1344->1351 1352 1000753a-10007541 1344->1352 1354 100077a5-100077a8 1345->1354 1349 1000778a-1000778e 1347->1349 1350 1000763a-1000763e 1347->1350 1355 10007591-10007595 1348->1355 1356 10007566-10007574 1348->1356 1349->1354 1361 10007794-10007798 1349->1361 1359 10007650-10007654 1350->1359 1360 10007644-1000764b 1350->1360 1351->1345 1352->1345 1354->1323 1357 100075c6-100075ca 1355->1357 1358 1000759b-100075a9 1355->1358 1362 10007584 1356->1362 1363 1000757a-1000757f 1356->1363 1369 100075d0-100075de 1357->1369 1370 100075fb-100075ff 1357->1370 1365 100075b9 1358->1365 1366 100075af-100075b4 1358->1366 1367 10007785 1359->1367 1368 1000765a-1000766f 1359->1368 1360->1367 1361->1354 1371 1000779e 1361->1371 1364 10007589-1000758c 1362->1364 1363->1364 1372 1000762b 1364->1372 1373 100075be-100075c1 1365->1373 1366->1373 1367->1354 1381 10007671-10007685 call 10027499 1368->1381 1382 10007688-1000768f 1368->1382 1374 100075e4-100075e9 1369->1374 1375 100075ee 1369->1375 1370->1372 1376 10007605-10007613 1370->1376 1371->1354 1372->1354 1373->1372 1378 100075f3-100075f6 1374->1378 1375->1378 1379 10007623 1376->1379 1380 10007619-1000761e 1376->1380 1378->1372 1383 10007628 1379->1383 1380->1383 1381->1382 1385 100076a1-100076a5 1382->1385 1386 10007695-1000769c 1382->1386 1383->1372 1388 100076c7 1385->1388 1389 100076ab-100076ba 1385->1389 1386->1367 1390 100076cc-100076ce 1388->1390 1389->1388 1391 100076c0-100076c5 1389->1391 1392 100076e0-1000771d call 10028950 1390->1392 1393 100076d4-100076db 1390->1393 1391->1390 1396 10007723-1000772a 1392->1396 1397 1000772f-1000776c call 10028950 1392->1397 1393->1367 1396->1367 1400 10007772-10007779 1397->1400 1401 1000777e 1397->1401 1400->1367 1401->1367
                                                  APIs
                                                  • GetVersionExA.KERNEL32(00000000,10006DE0), ref: 10007264
                                                  • GetSystemInfo.KERNEL32(00000000,?), ref: 100073E6
                                                  • RtlGetNtVersionNumbers.NTDLL(?,?,00000000), ref: 100074B7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Version$InfoNumbersSystem
                                                  • String ID:
                                                  • API String ID: 995872648-0
                                                  • Opcode ID: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                  • Instruction ID: 6910099e4755c4c9484fada616f008788a9246664730439cfdd765e490be93a4
                                                  • Opcode Fuzzy Hash: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                  • Instruction Fuzzy Hash: 001225B5E40246DBFB00CFA8DC81799B7F0FF19364F290065E909AB345E379A951CB62

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1402 10007fdd-1000801e call 100280c0 1405 10008020-10008026 call 10027487 1402->1405 1406 10008029-10008059 call 1000241a call 10007db8 1402->1406 1405->1406 1413 10008098-1000809d 1406->1413 1414 1000805f-10008063 1406->1414 1416 100080a8-100080ab 1413->1416 1417 1000809f-100080a5 call 10027487 1413->1417 1414->1413 1415 10008069-1000806c 1414->1415 1420 10008075-1000807c 1415->1420 1417->1416 1421 10008095 1420->1421 1422 1000807e-10008092 call 10027499 1420->1422 1421->1413 1422->1421
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID: `+Fw
                                                  • API String ID: 3535843008-1178111234
                                                  • Opcode ID: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                  • Instruction ID: f7734d6dfd281f4cec539f69a8a4743609fe5589cfe20e3980177d77de103c32
                                                  • Opcode Fuzzy Hash: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                  • Instruction Fuzzy Hash: 92112EB5D40308BBEB50DFE0DC86B9DBBB8EF05340F108069E6447A281D7B66B588B91

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1425 10018ad3-10018b21 call 10018eea * 2 HeapCreate 1431 10018b23-10018b37 call 10027499 1425->1431 1432 10018b3a-10018b5e HeapCreate 1425->1432 1431->1432 1434 10018b60-10018b74 call 10027499 1432->1434 1435 10018b77-10018b8e call 10001000 1432->1435 1434->1435 1441 10018b90-10018ba4 call 10027499 1435->1441 1442 10018ba7-10018bc8 call 1000188f 1435->1442 1441->1442 1447 10018bd3-10018be4 call 1000b61e 1442->1447 1448 10018bca-10018bd0 call 10027487 1442->1448 1453 10018be6-10018bec call 10027487 1447->1453 1454 10018bef-10018c09 call 10001000 1447->1454 1448->1447 1453->1454 1459 10018c22-10018c43 call 1000188f 1454->1459 1460 10018c0b-10018c1f call 10027499 1454->1460 1465 10018c45-10018c4b call 10027487 1459->1465 1466 10018c4e-10018c5f call 1000b61e 1459->1466 1460->1459 1465->1466 1471 10018c61-10018c67 call 10027487 1466->1471 1472 10018c6a-10018c84 call 10001000 1466->1472 1471->1472 1477 10018c86-10018c9a call 10027499 1472->1477 1478 10018c9d-10018cbe call 1000188f 1472->1478 1477->1478 1483 10018cc0-10018cc6 call 10027487 1478->1483 1484 10018cc9-10018cda call 1000b61e 1478->1484 1483->1484 1489 10018ce5-10018cff call 10001000 1484->1489 1490 10018cdc-10018ce2 call 10027487 1484->1490 1495 10018d01-10018d15 call 10027499 1489->1495 1496 10018d18-10018d39 call 1000188f 1489->1496 1490->1489 1495->1496 1501 10018d44-10018d55 call 1000b61e 1496->1501 1502 10018d3b-10018d41 call 10027487 1496->1502 1507 10018d60-10018d7a call 10001000 1501->1507 1508 10018d57-10018d5d call 10027487 1501->1508 1502->1501 1513 10018d93-10018db4 call 1000188f 1507->1513 1514 10018d7c-10018d90 call 10027499 1507->1514 1508->1507 1519 10018db6-10018dbc call 10027487 1513->1519 1520 10018dbf-10018dd0 call 1000b61e 1513->1520 1514->1513 1519->1520 1525 10018dd2-10018dd8 call 10027487 1520->1525 1526 10018ddb-10018e4b call 10006453 call 1000710e call 10018f34 call 100191e3 call 10019edc call 1000ff10 call 100114f9 1520->1526 1525->1526 1543 10018e56-10018ea3 call 10019edc call 1000ff10 call 100114f9 1526->1543 1544 10018e4d-10018e53 call 10027487 1526->1544 1553 10018ea5-10018eab call 10027487 1543->1553 1554 10018eae-10018ec2 call 10019f4c 1543->1554 1544->1543 1553->1554 1557 10018ec7-10018ee9 call 1001a236 1554->1557
                                                  APIs
                                                    • Part of subcall function 10018EEA: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                  • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 10018B14
                                                  • HeapCreate.KERNEL32(00040000,00000000,00000000), ref: 10018B51
                                                    • Part of subcall function 1000FF10: RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Create$Heap$ComputeCrc32Mutex
                                                  • String ID:
                                                  • API String ID: 3311811139-0
                                                  • Opcode ID: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                  • Instruction ID: 66fc46a93c8d8d126791b072413d70454ec7258938680aadaad6e332e46fbde2
                                                  • Opcode Fuzzy Hash: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                  • Instruction Fuzzy Hash: B8B10CB5E00309ABEB10EFE4DCC2B9E77B8FB14340F504465E618EB246E775AB448B52

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1563 498c20-498c2a 1564 498c3c-498c42 1563->1564 1565 498c2c-498c39 call 498cf0 1563->1565 1567 498c4c-498c58 1564->1567 1568 498c44-498c49 1564->1568 1570 498c5a-498c60 1567->1570 1571 498ca6-498cad 1567->1571 1570->1571 1574 498c62-498c68 1570->1574 1572 498cba-498ccf RtlAllocateHeap 1571->1572 1573 498caf-498cb5 GetProcessHeap 1571->1573 1575 498cdd-498ce6 1572->1575 1576 498cd1-498cda 1572->1576 1573->1572 1574->1571 1577 498c6a-498ca3 call 501470 1574->1577
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6d90b5265c6a083bd75336c90b8dc952c739af1996ea6f9afd1e19bf474ad85e
                                                  • Instruction ID: 14a775d64e2b16d411ac6a0474f66a07f82cfb30e7dda565d72f6cc662e72958
                                                  • Opcode Fuzzy Hash: 6d90b5265c6a083bd75336c90b8dc952c739af1996ea6f9afd1e19bf474ad85e
                                                  • Instruction Fuzzy Hash: 242116B2601B018FEB20CF69E884F57BBE8EBA1365B10893FE155C7211D775E815CB68
                                                  APIs
                                                  • LdrInitializeThunk.NTDLL(-0000007F), ref: 10004BAD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                  • Instruction ID: 7f13cb2829284cec5adb7bd0b88e9c5a5f53f04c1fb2448feb0c9f08ba257be5
                                                  • Opcode Fuzzy Hash: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                  • Instruction Fuzzy Hash: 0111C4B1600645DBFB20DF18C894B5973A5EB413D9F128336E806CB2E8CB78DD85C789
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D511,00000000), ref: 1001A1FA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                  • Instruction ID: 8b03ad6f155dc1ffa3c952e4c0ec4cfc85cd69f7d418c3f1b48ca094e25b3ce2
                                                  • Opcode Fuzzy Hash: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                  • Instruction Fuzzy Hash: EF012975D04319A7DB00EFD49C82F9E77B9EB05340F404066E50466151D775DB949B92
                                                  APIs
                                                  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: CreateMutex
                                                  • String ID:
                                                  • API String ID: 1964310414-0
                                                  • Opcode ID: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                  • Instruction ID: b5123a5caac3b4bfff5d25017b882f5dc189a7960400f6af0356bf2a3b5a090f
                                                  • Opcode Fuzzy Hash: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                  • Instruction Fuzzy Hash: 49E01270E95308F7E120AA505D03B29B635D70AB11F609055BE083E1C1D5B19A156696
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 84ab3c9dcaf6d432e69f414250802ccf90b8c5e1272a82c38340292b53fe6465
                                                  • Instruction ID: 271d4d92b4bdf42f51cac9c848b442a2a56f000869d0641b217429bfb1da7fdb
                                                  • Opcode Fuzzy Hash: 84ab3c9dcaf6d432e69f414250802ccf90b8c5e1272a82c38340292b53fe6465
                                                  • Instruction Fuzzy Hash: 2331F870C04A0DEBCF01DF95E5C5AADBBB0FF49300F5180E5E9A46A259CB355A34DB26

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 973 536409-536426 EnterCriticalSection 974 536435-53643a 973->974 975 536428-53642f 973->975 977 536457-536460 974->977 978 53643c-53643f 974->978 975->974 976 5364ee-5364f1 975->976 979 5364f3-5364f6 976->979 980 5364f9-53651a LeaveCriticalSection 976->980 982 536462-536473 GlobalAlloc 977->982 983 536475-536491 GlobalHandle GlobalUnlock GlobalReAlloc 977->983 981 536442-536445 978->981 979->980 984 536447-53644d 981->984 985 53644f-536451 981->985 986 536497-5364a3 982->986 983->986 984->981 984->985 985->976 985->977 987 5364c0-5364ed GlobalLock call 51e150 986->987 988 5364a5-5364bb GlobalHandle GlobalLock LeaveCriticalSection call 52a924 986->988 987->976 988->987
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(007E6BD8,007E6BAC,00000000,?,007E6BBC,007E6BBC,005367A4,?,00000000,005361F7,00535AE6,00536213,00531617,005328BF,?,00000000), ref: 00536418
                                                  • GlobalAlloc.KERNEL32(00002002,00000000,?,?,007E6BBC,007E6BBC,005367A4,?,00000000,005361F7,00535AE6,00536213,00531617,005328BF,?,00000000), ref: 0053646D
                                                  • GlobalHandle.KERNEL32(00A144B0), ref: 00536476
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0053647F
                                                  • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00536491
                                                  • GlobalHandle.KERNEL32(00A144B0), ref: 005364A8
                                                  • GlobalLock.KERNEL32(00000000), ref: 005364AF
                                                  • LeaveCriticalSection.KERNEL32(0051A909,?,?,007E6BBC,007E6BBC,005367A4,?,00000000,005361F7,00535AE6,00536213,00531617,005328BF,?,00000000), ref: 005364B5
                                                  • GlobalLock.KERNEL32(00000000), ref: 005364C4
                                                  • LeaveCriticalSection.KERNEL32(?), ref: 0053650D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                  • String ID:
                                                  • API String ID: 2667261700-0
                                                  • Opcode ID: 63fad3f132bf26efb72d39567dfa04d14275eabd59b3a2e8270ee58155730058
                                                  • Instruction ID: 813fc0938114706683b4966c6056f1d0ce4ab11df8034fd0e132a758308a5a0e
                                                  • Opcode Fuzzy Hash: 63fad3f132bf26efb72d39567dfa04d14275eabd59b3a2e8270ee58155730058
                                                  • Instruction Fuzzy Hash: D5317475600305AFDB259F68EC89A2ABBF9FF84300F00492DF856C3761E771E8588B21

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 992 100294c0-100294cf 993 100294d1-100294e3 GetTempPathA 992->993 994 100294eb-10029511 992->994 995 10029513-1002952c 993->995 996 100294e5-100294e9 993->996 994->995 997 10029531-1002953d 995->997 998 1002952e 995->998 996->995 999 10029543-10029569 GetTickCount wsprintfA PathFileExistsA 997->999 998->997 999->999 1000 1002956b-100295b3 call 10027bb0 999->1000
                                                  APIs
                                                  • GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                  • GetTickCount.KERNEL32 ref: 10029543
                                                  • wsprintfA.USER32 ref: 10029558
                                                  • PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Path$CountExistsFileTempTickwsprintf
                                                  • String ID: %s%x.tmp
                                                  • API String ID: 3843276195-78920241
                                                  • Opcode ID: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                  • Instruction ID: 19c0f5fbbc49b21063d5a4c1e69b6cb6cd736cc94922c53957f775166a9e82b6
                                                  • Opcode Fuzzy Hash: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                  • Instruction Fuzzy Hash: 9521F6352046144FE329D638AC526EB77D5FBC4360F948A2DF9AA831C0DF74DD058791

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1003 10027bb0-10027bb7 1004 10027bc4-10027bd7 RtlAllocateHeap 1003->1004 1005 10027bb9-10027bbf GetProcessHeap 1003->1005 1006 10027bf5-10027bf8 1004->1006 1007 10027bd9-10027bf2 MessageBoxA call 10027b10 1004->1007 1005->1004 1007->1006
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                  • RtlAllocateHeap.NTDLL(00A00000,00000008,?,?,10028674), ref: 10027BCD
                                                  • MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocateMessageProcess
                                                  • String ID: error
                                                  • API String ID: 2992861138-1574812785
                                                  • Opcode ID: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                  • Instruction ID: 89e5899bf0a8eaacd33e9d23978464e8beef4f738102cb453b69e42e0a268b90
                                                  • Opcode Fuzzy Hash: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                  • Instruction Fuzzy Hash: 4DE0DF71A01A31ABE322EB64BC88F4B7698EF05B41F910526F608E2240EF20AC019791

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1010 10028d40-10028d62 CreateFileA 1011 10028d64-10028da8 GetFileSize call 10027bb0 ReadFile CloseHandle 1010->1011 1012 10028da9-10028daa 1010->1012 1011->1012
                                                  APIs
                                                  • CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000,00000000,100149DF,00000001,00000000,00000000,80000004,00000000,00000000,00000000), ref: 10028D55
                                                  • GetFileSize.KERNEL32(00000000,?,1002C201,00000268,?,00000000,00000000,00000000,00000000), ref: 10028D6C
                                                    • Part of subcall function 10027BB0: GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                    • Part of subcall function 10027BB0: RtlAllocateHeap.NTDLL(00A00000,00000008,?,?,10028674), ref: 10027BCD
                                                    • Part of subcall function 10027BB0: MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                  • ReadFile.KERNEL32(00000000,00000008,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D98
                                                  • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D9F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: File$Heap$AllocateCloseCreateHandleMessageProcessReadSize
                                                  • String ID:
                                                  • API String ID: 749537981-0
                                                  • Opcode ID: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                  • Instruction ID: 3e7a6e3e6917c5c906f0044d82f650070526e8034b550c75b50b94cd4b2286ca
                                                  • Opcode Fuzzy Hash: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                  • Instruction Fuzzy Hash: 31F044762003107BE3218B64DCC9F9B77ACEB84B51F204A1DF616961D0E670A5458761

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1280 531627-531630 call 5361e8 1283 531632-53165d call 535fb6 GetCurrentThreadId SetWindowsHookExA call 536805 1280->1283 1284 531685 1280->1284 1288 531662-531668 1283->1288 1289 531675-531684 call 536770 1288->1289 1290 53166a-53166f call 5361e8 1288->1290 1289->1284 1290->1289
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 0053163A
                                                  • SetWindowsHookExA.USER32(000000FF,VcH,00000000,00000000), ref: 0053164A
                                                    • Part of subcall function 00536805: __EH_prolog.LIBCMT ref: 0053680A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: CurrentH_prologHookThreadWindows
                                                  • String ID: VcH
                                                  • API String ID: 2183259885-2144458766
                                                  • Opcode ID: e79a605dff223cbcdf09945f7e442b3bb6a7466dcee96778ff42f9b2bc9c6e6c
                                                  • Instruction ID: 3e65eec3cb34cc788a29d143ddb58f0a9e9c687b6a8744adff5aa7bd115b2aae
                                                  • Opcode Fuzzy Hash: e79a605dff223cbcdf09945f7e442b3bb6a7466dcee96778ff42f9b2bc9c6e6c
                                                  • Instruction Fuzzy Hash: DAF0E571941601BBCB203BB0AC1EB157FA1BF54710F054B5CF162971E2DEA4D88487A6

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1580 537039-537064 SetErrorMode * 2 call 5361e8 * 2 1585 537066-537080 call 53709c 1580->1585 1586 537085-53708f call 5361e8 1580->1586 1585->1586 1590 537091 call 531627 1586->1590 1591 537096-537099 1586->1591 1590->1591
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000000,00000000,005328DE,00000000,00000000,00000000,00000000,?,00000000,?,0052A1A3,00000000,00000000,00000000,00000000,0051A909), ref: 00537042
                                                  • SetErrorMode.KERNEL32(00000000,?,00000000,?,0052A1A3,00000000,00000000,00000000,00000000,0051A909,00000000), ref: 00537049
                                                    • Part of subcall function 0053709C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 005370CD
                                                    • Part of subcall function 0053709C: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0053716E
                                                    • Part of subcall function 0053709C: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0053719B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
                                                  • String ID:
                                                  • API String ID: 3389432936-0
                                                  • Opcode ID: 956d53f38330488f065d30974b99f1c4f72edec217a848a2504a31b725332146
                                                  • Instruction ID: fe2ca7675843451ea13d27fdcdcc082f8995c17f0eab8ca4b69eba8f976f2432
                                                  • Opcode Fuzzy Hash: 956d53f38330488f065d30974b99f1c4f72edec217a848a2504a31b725332146
                                                  • Instruction Fuzzy Hash: 9AF037B49182169FC724AF64D849A0D7FE8BF89710F05848EF4449B3A2CBB0D840CFA6

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1593 5208a8-5208c6 HeapCreate 1594 5208c8-5208d5 call 520760 1593->1594 1595 5208fe-520900 1593->1595 1598 5208d7-5208e2 call 524175 1594->1598 1599 5208e4-5208e7 1594->1599 1605 5208ee-5208f0 1598->1605 1600 520901-520904 1599->1600 1601 5208e9 call 524cbc 1599->1601 1601->1605 1605->1600 1606 5208f2-5208f8 HeapDestroy 1605->1606 1606->1595
                                                  APIs
                                                  • HeapCreate.KERNEL32(00000000,00001000,00000000,0051A887,00000001), ref: 005208B9
                                                    • Part of subcall function 00520760: GetVersionExA.KERNEL32 ref: 0052077F
                                                  • HeapDestroy.KERNEL32 ref: 005208F8
                                                    • Part of subcall function 00524175: HeapAlloc.KERNEL32(00000000,00000140,005208E1,000003F8), ref: 00524182
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocCreateDestroyVersion
                                                  • String ID:
                                                  • API String ID: 2507506473-0
                                                  • Opcode ID: cb66110ecd5eb9cbd426de7e103b2dd05c584e9bd6cfc8b24b48d2d42d5bdadf
                                                  • Instruction ID: bed1fdf768c2c4e0dfe41baf6b29779dc4f25bd053bc7d9aed64584b578380fc
                                                  • Opcode Fuzzy Hash: cb66110ecd5eb9cbd426de7e103b2dd05c584e9bd6cfc8b24b48d2d42d5bdadf
                                                  • Instruction Fuzzy Hash: D7F065715573116AEB201730BC4A72B3EA1BF55741F105826F401CD1E7EBA488C0E952

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1607 10027c40-10027c4b 1608 10027c86-10027c87 1607->1608 1609 10027c4d-10027c54 1607->1609 1610 10027c56 call 10027ae0 1609->1610 1611 10027c5b-10027c61 1609->1611 1610->1611 1613 10027c63-10027c69 1611->1613 1614 10027c6b-10027c76 IsBadReadPtr 1611->1614 1613->1608 1613->1614 1614->1608 1615 10027c78-10027c80 RtlFreeHeap 1614->1615 1615->1608
                                                  APIs
                                                  • IsBadReadPtr.KERNEL32(00000000,00000008), ref: 10027C6E
                                                  • RtlFreeHeap.NTDLL(00A00000,00000000,00000000), ref: 10027C80
                                                    • Part of subcall function 10027AE0: GetModuleHandleA.KERNEL32(10000000,10027CB6,?,?,00000000,10013438,00000004,1002D4C1,00000000,00000000,?,00000014,00000000,00000000), ref: 10027AEA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: FreeHandleHeapModuleRead
                                                  • String ID:
                                                  • API String ID: 627478288-0
                                                  • Opcode ID: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                  • Instruction ID: 59851536013e0aac3578df5bad16e171669d5e3b00cd7f1de4e20f90094f5fd3
                                                  • Opcode Fuzzy Hash: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                  • Instruction Fuzzy Hash: 46E0ED71A0153297EB21FB34ADC4A4B769CFB417C0BB1402AF548B3151D330AC818BA2
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0051C24C
                                                    • Part of subcall function 00522F64: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0051D07C,00000009,00000000,00000000,00000001,005206F1,00000001,00000074,?,?,00000000,00000001), ref: 00522FA1
                                                    • Part of subcall function 00522F64: EnterCriticalSection.KERNEL32(?,?,?,0051D07C,00000009,00000000,00000000,00000001,005206F1,00000001,00000074,?,?,00000000,00000001), ref: 00522FBC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$AllocateEnterHeapInitialize
                                                  • String ID:
                                                  • API String ID: 1616793339-0
                                                  • Opcode ID: f2907e7fae55aad9e2f709c5ab16aec0863515ec819aa300f5bcc5e006e62c84
                                                  • Instruction ID: 31585fd87cf4dc93c39ff74e637209de665e1406c5fbbf9897b477b6c4bc3e25
                                                  • Opcode Fuzzy Hash: f2907e7fae55aad9e2f709c5ab16aec0863515ec819aa300f5bcc5e006e62c84
                                                  • Instruction Fuzzy Hash: DA21F136AC0205BBEB10EBA8EC46BDABFA4FB05720F148515F421EB2C1C375A981CA54
                                                  APIs
                                                  • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,0051D07C,00000009,00000000,00000000,00000001,005206F1,00000001,00000074), ref: 0051C112
                                                    • Part of subcall function 00522F64: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0051D07C,00000009,00000000,00000000,00000001,005206F1,00000001,00000074,?,?,00000000,00000001), ref: 00522FA1
                                                    • Part of subcall function 00522F64: EnterCriticalSection.KERNEL32(?,?,?,0051D07C,00000009,00000000,00000000,00000001,005206F1,00000001,00000074,?,?,00000000,00000001), ref: 00522FBC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFreeHeapInitialize
                                                  • String ID:
                                                  • API String ID: 641406236-0
                                                  • Opcode ID: ce4a3c4107f8df890894bc58c5020cc0faeba580b3b78b47bf21ff04b4aeb018
                                                  • Instruction ID: 968929e109b4ac6041bbdb302962c38155afe5b072a7de18c653fd3514ecb3e4
                                                  • Opcode Fuzzy Hash: ce4a3c4107f8df890894bc58c5020cc0faeba580b3b78b47bf21ff04b4aeb018
                                                  • Instruction Fuzzy Hash: 5521F672881219FBEF20ABA4DC0ABDE7F78FF49720F144115F415B61C1D7799980CAA5
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00A00000,00000000,?), ref: 004B5481
                                                    • Part of subcall function 004AD060: wsprintfA.USER32 ref: 004AD072
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeapwsprintf
                                                  • String ID:
                                                  • API String ID: 1352872168-0
                                                  • Opcode ID: 654d69f9d15e4454f6d6cf7fd211a723779cb135650e10ed8d8e18db577dc6fb
                                                  • Instruction ID: 6778f1b125e4304e882370754b147ce39cd9a49627e35151714a1eb93b3bfa95
                                                  • Opcode Fuzzy Hash: 654d69f9d15e4454f6d6cf7fd211a723779cb135650e10ed8d8e18db577dc6fb
                                                  • Instruction Fuzzy Hash: 62E046B9900208EBCB00DB90E841BAEB7B8AB18304F008658F90947300D635AE409BA5
                                                  APIs
                                                  • LoadStringA.USER32(?,?,?,?), ref: 005321B1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: LoadString
                                                  • String ID:
                                                  • API String ID: 2948472770-0
                                                  • Opcode ID: 67abd69595a5292a3436135e47ed7df00919b46b721d9093e9e745172f900b9b
                                                  • Instruction ID: 32b298f7ecad5192aefefcbd7c9d8c1a199a31cdf63463159fd1cf315d35339d
                                                  • Opcode Fuzzy Hash: 67abd69595a5292a3436135e47ed7df00919b46b721d9093e9e745172f900b9b
                                                  • Instruction Fuzzy Hash: 6ED09E76519362ABCA519F619808D4BBFB4BFA5350F058C4DF59493212C360D458D661
                                                  APIs
                                                  • DeleteFileA.KERNEL32(00000000,10015A7E,00000001,10014425,00000000,80000004), ref: 10028E55
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                  • Instruction ID: ffbd99c73049c44a809e906c9e813abd6042298cab9f2baa300a0a2bd65e465f
                                                  • Opcode Fuzzy Hash: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                  • Instruction Fuzzy Hash: 5EA00275904611EBDE11DBA4C9DC84B7BACAB84341B108844F155C2130C634D451CB21
                                                  APIs
                                                  • IsWindow.USER32(00000000), ref: 1001F57C
                                                  • IsIconic.USER32(00000000), ref: 1001F86F
                                                  • GetDCEx.USER32(00000000,00000000,00000020,?,?,?,?,-00000004), ref: 1001F8D4
                                                  • GetDCEx.USER32(00000000,00000000,00000020,?,?,?,?,-00000004), ref: 1001FE93
                                                  • GetWindowInfo.USER32(00000000,00000000), ref: 1001FFE2
                                                  • GetWindowRect.USER32(00000000,?), ref: 100201EB
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 100205D5
                                                  • CreateDIBSection.GDI32(00000000,00000000,00000000,00000000), ref: 100206C0
                                                  • SelectObject.GDI32(00000000,00000000), ref: 10020798
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 100207D7
                                                  • SelectObject.GDI32(00000000,00000000), ref: 1002086C
                                                  • PrintWindow.USER32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,-00000004), ref: 100208A9
                                                  • BitBlt.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00CC0020), ref: 1002091B
                                                  • SelectObject.GDI32(00000000,00000000), ref: 10020ADE
                                                  • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 10020CB4
                                                    • Part of subcall function 10028090: _CIfmod.MSVCRT(?,?,?,1000197A,00000002,?,?,80000601,00000000,40140000,80000601,00000000,00000000,00000001), ref: 100280A8
                                                    • Part of subcall function 10002461: HeapAlloc.KERNEL32(00000008,?,?,10026C94), ref: 1000247B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Window$CreateObjectSelect$Compatible$AllocBitsHeapIconicIfmodInfoPrintRectSection
                                                  • String ID:
                                                  • API String ID: 3140154463-0
                                                  • Opcode ID: 88eda80100b7a025ec30ab416d140f093013ab73758d7af4ff83b5959809b2a7
                                                  • Instruction ID: ea048d8ca86424f245eedfb131be0975fd1a5b6ab4dedd9bad29979357843bcf
                                                  • Opcode Fuzzy Hash: 88eda80100b7a025ec30ab416d140f093013ab73758d7af4ff83b5959809b2a7
                                                  • Instruction Fuzzy Hash: CB13F3B0A40329DBEF20CF54DCC1B99BBB1FF19314F5440A4E648AB241D775AAA4DF25
                                                  APIs
                                                  • PathFindFileNameA.SHLWAPI(00000000), ref: 100143A7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: FileFindNamePath
                                                  • String ID:
                                                  • API String ID: 1422272338-0
                                                  • Opcode ID: 0e6eff065a05a2f384f771e1e98f391994859e5652061184b7ca416d9ae97ae4
                                                  • Instruction ID: 6aa6a69dd7cd03d5bb48bed33b8f4d969fd18b6c87b19858859c797241170964
                                                  • Opcode Fuzzy Hash: 0e6eff065a05a2f384f771e1e98f391994859e5652061184b7ca416d9ae97ae4
                                                  • Instruction Fuzzy Hash: 6A8276B5E40309ABEB10DFD0DC82F9E77B4EF14741F550025F608BE291EBB2AA558B52
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 004AD895
                                                  • IsWindow.USER32(00010452), ref: 004AD8B1
                                                  • SendMessageA.USER32(00010452,000083E7,?,00000000), ref: 004AD8CA
                                                  • ExitProcess.KERNEL32 ref: 004AD8DF
                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00538F58,000000FF,?,004AD08C), ref: 004AD9C3
                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00538F58,000000FF,?,004AD08C), ref: 004ADA17
                                                  • DestroyIcon.USER32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00538F58,000000FF,?,004AD08C), ref: 004ADA67
                                                  • DestroyIcon.USER32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00538F58,000000FF,?,004AD08C), ref: 004ADA7E
                                                  • IsWindow.USER32(00010452), ref: 004ADA95
                                                  • DestroyIcon.USER32(?,00000001,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,00000000,00538F58), ref: 004ADB44
                                                  • WSACleanup.WS2_32 ref: 004ADB8F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: DestroyIcon$FreeLibraryWindow$CleanupCurrentExitMessageProcessSendThread
                                                  • String ID:
                                                  • API String ID: 3816745216-0
                                                  • Opcode ID: 26a6c0b6b7ab7f527e6052f20b6203f1ad660891eb0388f43f765c3921624281
                                                  • Instruction ID: 1a9c1e8aaf730d2c41b42750314a93c7f8b972785004ab3e3836d3bbfa77f803
                                                  • Opcode Fuzzy Hash: 26a6c0b6b7ab7f527e6052f20b6203f1ad660891eb0388f43f765c3921624281
                                                  • Instruction Fuzzy Hash: A3B15BB0A006019BDB24DF69C8D5AABB7F5BF69300F40492EE5ABC7781CB34B945CB54
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D459,?), ref: 1000C917
                                                  • InterlockedExchange.KERNEL32(1002D45D,?), ref: 1000C9CE
                                                  • InterlockedExchange.KERNEL32(1002D461,?), ref: 1000CA85
                                                  • InterlockedExchange.KERNEL32(1002D465,?), ref: 1000CB3C
                                                  • InterlockedExchange.KERNEL32(1002D469,?), ref: 1000CBF3
                                                  • InterlockedExchange.KERNEL32(1002D455,?), ref: 1000CCAA
                                                    • Part of subcall function 10001D56: IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                                                  • GetWindowThreadProcessId.USER32(1000C613,00000000), ref: 1000CCFD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked$CodeProcessThreadWindow
                                                  • String ID:
                                                  • API String ID: 1323220708-0
                                                  • Opcode ID: a57e3a7ebe96e369419e08ba99744fb8776840faf4a81f30f508d6abc0fe4111
                                                  • Instruction ID: 2b64659c084c5c153bef61b4d063f84a8c6e811bd728d09e8d095ab07dd3c45c
                                                  • Opcode Fuzzy Hash: a57e3a7ebe96e369419e08ba99744fb8776840faf4a81f30f508d6abc0fe4111
                                                  • Instruction Fuzzy Hash: AF5308B5E00348ABEF11DFD4DC82FADBBB5EF08344F540029FA04BA296D7B669548B15
                                                  APIs
                                                  • GetWindowRect.USER32(00000001,00000001), ref: 1002140D
                                                  • GetDCEx.USER32(00000000,00000000,00000020,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 100218AD
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 100218DC
                                                  • SelectObject.GDI32(00000000,00000000), ref: 1002195D
                                                  • PrintWindow.USER32(00000001,00000000,00000000), ref: 10021994
                                                  • GetObjectA.GDI32(00000000,00000018,00000000), ref: 10021A33
                                                  • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 10021CA1
                                                  • SelectObject.GDI32(00000000,00000000), ref: 100220CA
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 10022153
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Object$SelectWindow$BitsCompatibleCreatePrintRectRelease
                                                  • String ID:
                                                  • API String ID: 2343085801-0
                                                  • Opcode ID: 63133bb0db85fb87063aa834a4ef367d52919f1049c1e49f4a6d5bd8347d4e59
                                                  • Instruction ID: af8189180e66b16a91b6480abd6d1d91958fea63da9546105489bf86ff406ccc
                                                  • Opcode Fuzzy Hash: 63133bb0db85fb87063aa834a4ef367d52919f1049c1e49f4a6d5bd8347d4e59
                                                  • Instruction Fuzzy Hash: A7A2BCB4E40359ABEF10CF94DC81B9DBBB1FF09304F604064EA09AB295D3B56965CB26
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ?$\$\REGISTRY\MACHINE$\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT$\REGISTRY\USER$_Classes
                                                  • API String ID: 0-1655980394
                                                  • Opcode ID: e22ae917082b87936fa41f08c48656746adfa22af9818a3601b39729e2dc5093
                                                  • Instruction ID: cfee4882955295f256346ab5d35a508912345f973a0f1410f6445f43bbb6ad63
                                                  • Opcode Fuzzy Hash: e22ae917082b87936fa41f08c48656746adfa22af9818a3601b39729e2dc5093
                                                  • Instruction Fuzzy Hash: 379124B5E00209EFDF40DFD4DD85BAE7BB8FF18240F604429E60DAA241D7759B849B62
                                                  APIs
                                                  • UnmapViewOfFile.KERNEL32(00000000,00000000,00000000,?,00000018,00000000,00000000,00000000,00000000,00000000,00000018,00000000,00000000,00000000,00000000,00000000), ref: 100226B0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: FileUnmapView
                                                  • String ID:
                                                  • API String ID: 2564024751-0
                                                  • Opcode ID: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                  • Instruction ID: aca3888e1ced534dfb8bff30dc6f5772290e13aa398f14ea119e8b9ebb5f1563
                                                  • Opcode Fuzzy Hash: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                  • Instruction Fuzzy Hash: CED1AF75D40209FBEF219FE0EC46BDDBAB1EB09714F608115F6203A2E0C7B62A549F59
                                                  APIs
                                                  • GetDC.USER32(00000000), ref: 1001A976
                                                  • SelectObject.GDI32(00000000,00000000), ref: 1001A9E8
                                                  • SelectObject.GDI32(00000000,00000000), ref: 1001ABA2
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 1001ABFD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ObjectSelect$Release
                                                  • String ID:
                                                  • API String ID: 3581861777-0
                                                  • Opcode ID: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                  • Instruction ID: 0a28f281d22c81f76b667070ee8f4b39c3514b9b46e69f88ae8cd14bf3a1b365
                                                  • Opcode Fuzzy Hash: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                  • Instruction Fuzzy Hash: 2B9116B0D40309EBDF01EF81DC86BAEBBB1EB0A715F005015F6187A290D3B69691CF96
                                                  APIs
                                                  • GetWindow.USER32(?,00000005), ref: 1001A773
                                                  • IsWindowVisible.USER32(00000000), ref: 1001A7AC
                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 1001A7E9
                                                  • GetWindow.USER32(00000000,00000002), ref: 1001A872
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Window$ProcessThreadVisible
                                                  • String ID:
                                                  • API String ID: 569392824-0
                                                  • Opcode ID: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                  • Instruction ID: 356be4359fdaef5b37944779847d5b641f80ef076249e3ad3302764c89b6051f
                                                  • Opcode Fuzzy Hash: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                  • Instruction Fuzzy Hash: 284105B4D40219EBEB40EF90DC87BAEFBB0FB06711F105065E5097E190E7B19A90CB96
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID: ($`+Fw
                                                  • API String ID: 3535843008-151059746
                                                  • Opcode ID: 7a332dac4401a920269cba03dc06d0fc5b09a4c31d79a57ea6b303e349c4f0f0
                                                  • Instruction ID: acc8f56f01466ae78c1c2cfb7f14f5a9cb3254fd2462285b483ece6b545600e1
                                                  • Opcode Fuzzy Hash: 7a332dac4401a920269cba03dc06d0fc5b09a4c31d79a57ea6b303e349c4f0f0
                                                  • Instruction Fuzzy Hash: 41220CB5D00219ABEF00DFE4ECC1BAEB775FF18340F504028FA15BA256D776A9608B61
                                                  APIs
                                                  • SystemParametersInfoA.USER32(00000059,00000000,00000000,00000000), ref: 100156E3
                                                  • SystemParametersInfoA.USER32(0000005A,00000000,00000000,00000002), ref: 100158B9
                                                  • UnloadKeyboardLayout.USER32(00000000), ref: 100159A5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: InfoParametersSystem$KeyboardLayoutUnload
                                                  • String ID:
                                                  • API String ID: 1487128349-0
                                                  • Opcode ID: 0226bddf635d607848fcc8a3ce1956f1dfd2ff90d5e67fe2f9c10deefa186aa5
                                                  • Instruction ID: 050fea7ffa1bc3994f10f6bed9b27e470259e4e1db6febdaadab7ec0439d0979
                                                  • Opcode Fuzzy Hash: 0226bddf635d607848fcc8a3ce1956f1dfd2ff90d5e67fe2f9c10deefa186aa5
                                                  • Instruction Fuzzy Hash: 224245B5E40305EBEB00DF94DCC2FAE77A4EF18355F540025E605BF286E776AA448B62
                                                  APIs
                                                  • ReleaseMutex.KERNEL32(?,?,10026B6B), ref: 100141AB
                                                  • NtClose.NTDLL(?), ref: 100141D7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: CloseMutexRelease
                                                  • String ID: `+Fw
                                                  • API String ID: 2985832019-1178111234
                                                  • Opcode ID: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                  • Instruction ID: 38ac61447b851c898caa1bdb063a432cf123be9b48bf26603be34453f4d11833
                                                  • Opcode Fuzzy Hash: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                  • Instruction Fuzzy Hash: 69F08CB0E41308F7DA00AF50DC03B7DBA30EB16751F105021FA087E0A0DBB29A659A9A
                                                  APIs
                                                  • lstrlen.KERNEL32(00000000,FFFFFFFF,00000000,?,00000000,00000000,00000001,FFFFFFFF,00000000,?,FFFFFFFF,00000000,?,FFFFFFFF,00000000), ref: 10019B06
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: lstrlen
                                                  • String ID: Z$w
                                                  • API String ID: 1659193697-2716038989
                                                  • Opcode ID: 14b0ca790eb9ae8847579f1349c02be75ec1f05ac398c4f3cad0be9f6ca5cf29
                                                  • Instruction ID: 282b89e6495933af6440fbbb597b1de90ef5dffa39cee2d72f7ed257570ffe54
                                                  • Opcode Fuzzy Hash: 14b0ca790eb9ae8847579f1349c02be75ec1f05ac398c4f3cad0be9f6ca5cf29
                                                  • Instruction Fuzzy Hash: 550202B0D0061CDBEB10DFE1E9897EDBBB4FF48340F2140A4E485BA249DB725AA5CB55
                                                  APIs
                                                  • WindowFromDC.USER32(00000000), ref: 100237BF
                                                  • GetCurrentObject.GDI32(00000000,00000007), ref: 100237FF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: CurrentFromObjectWindow
                                                  • String ID:
                                                  • API String ID: 1970099965-0
                                                  • Opcode ID: b4fc28a30c016e0f3434186770363817d1562ad41469c0952657f73b3ef3185f
                                                  • Instruction ID: 5e3447216257589ac88371f0c3b1c154c22f3bd6e68f106655ab8dd4a69be074
                                                  • Opcode Fuzzy Hash: b4fc28a30c016e0f3434186770363817d1562ad41469c0952657f73b3ef3185f
                                                  • Instruction Fuzzy Hash: 9F313770D40308EBDB00DF90D886BADBBB0FB0A751F409065F6087E290E7B19A54DF96
                                                  APIs
                                                  • GetStockObject.GDI32(00000011), ref: 1001ACD1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ObjectStock
                                                  • String ID:
                                                  • API String ID: 3428563643-3916222277
                                                  • Opcode ID: 34811a479ff939bbd0d37306ad3751707146f9b865cac1cf01731385c4780bb4
                                                  • Instruction ID: b9a15d43875d05f13c7aca3fde3137a0688d1b6e1dffe905ed574dcac1c1d11e
                                                  • Opcode Fuzzy Hash: 34811a479ff939bbd0d37306ad3751707146f9b865cac1cf01731385c4780bb4
                                                  • Instruction Fuzzy Hash: AE325BB5A402569FEB00CF98DCC1B99BBF4FF29314F580065E546AB342D379B991CB22
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D531,?), ref: 10025544
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID: Thread
                                                  • API String ID: 367298776-915163573
                                                  • Opcode ID: 0f35051adc867b6f3eb31b1a967cfc10eed751901f350b72bdb8150afa714329
                                                  • Instruction ID: e87a296fab3b19ef06520bc3e141919b3527ea124beb15feda4261f24f1e3c13
                                                  • Opcode Fuzzy Hash: 0f35051adc867b6f3eb31b1a967cfc10eed751901f350b72bdb8150afa714329
                                                  • Instruction Fuzzy Hash: 38F116B5E00259ABEF00DFE4EC81BDDBBB5FF08314F640025F605BA241D7B6A9548B65
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D529,?), ref: 10024841
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID: Process
                                                  • API String ID: 367298776-1235230986
                                                  • Opcode ID: d2f68a8877050e88ca52d3a1b362dc4e0adfd70d905bf2d7a8a251b6a21b3eb8
                                                  • Instruction ID: 84bd04864f9d1e807072be8e5ab147b3cae892089b2f3c2b5496a308401e609c
                                                  • Opcode Fuzzy Hash: d2f68a8877050e88ca52d3a1b362dc4e0adfd70d905bf2d7a8a251b6a21b3eb8
                                                  • Instruction Fuzzy Hash: 85E104B5E41259ABEF00DFE4EC81B9DBBB5FF08304F640025F605BA241EB75A954CB61
                                                  APIs
                                                  • lstrlen.KERNEL32(00000000,000000FF,00000000,?,00000000,00000000,?,0000009C,00000000,?,?,FFFFFF9C,00000000), ref: 10026700
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: lstrlen
                                                  • String ID: #
                                                  • API String ID: 1659193697-1885708031
                                                  • Opcode ID: 7e6295f5caa4a652e8defb0c53b8757dc8115242becb546e1cd2ddf94898e13d
                                                  • Instruction ID: 30fcd15e93819707c4a405128049bbda1367cf8e2b4a4446b34ba685154cf5d7
                                                  • Opcode Fuzzy Hash: 7e6295f5caa4a652e8defb0c53b8757dc8115242becb546e1cd2ddf94898e13d
                                                  • Instruction Fuzzy Hash: 2232CF70D0061DEBEB10DFD0EC99BADBBB4FF48340F618094E495BA199CB715AB58B14
                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,10007D8B,00000000), ref: 10007EA0
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,FFFFFFFF,10007D8B,00000000,00000000,00000000,00000000,00000000), ref: 10007F7E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide
                                                  • String ID:
                                                  • API String ID: 626452242-0
                                                  • Opcode ID: bda0d135b53912d681397df84b39cfb901c8e1d28ca02e616f5f005ca4c51389
                                                  • Instruction ID: b3f739b553b0eb222627b335ec04950199b8c6fc0fb38b6c76c83e211291c2b2
                                                  • Opcode Fuzzy Hash: bda0d135b53912d681397df84b39cfb901c8e1d28ca02e616f5f005ca4c51389
                                                  • Instruction Fuzzy Hash: 62417C74E0020DFBEB10DFD0EC46BAEBBB4FB08750F204165F618BA195DBB56A608B55
                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001368C
                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 10013744
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide
                                                  • String ID:
                                                  • API String ID: 626452242-0
                                                  • Opcode ID: 29862c888924d45c4ba2e300f17eb5bcd02a481ba966d84d668dfe1bb4d5aab7
                                                  • Instruction ID: dea56998412ea2cd2e2e07e98f2853e180ac33eb45cb94fa257388ef996dc557
                                                  • Opcode Fuzzy Hash: 29862c888924d45c4ba2e300f17eb5bcd02a481ba966d84d668dfe1bb4d5aab7
                                                  • Instruction Fuzzy Hash: 543141B5E40309BBEB50DFD49C82FAE7BB4EB04710F108055FA18BE2C1D7B6A6909B55
                                                  APIs
                                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,?,?,?,100172C1,00000000,00000000,00000000), ref: 10017D82
                                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,100172C1), ref: 10017E29
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentExpandStrings
                                                  • String ID:
                                                  • API String ID: 237503144-0
                                                  • Opcode ID: 69d3f48662c60aa8471e2db2691721ec0b878157a118ab2c20fe49b153d34404
                                                  • Instruction ID: 93bfbce67b494b6763231a081cd11fe6566247fc84b5e7443ef84a885c003b65
                                                  • Opcode Fuzzy Hash: 69d3f48662c60aa8471e2db2691721ec0b878157a118ab2c20fe49b153d34404
                                                  • Instruction Fuzzy Hash: 96313675E00309BBEB51DED49C82FAE7BF4EF08704F104065FA08BB242D772AA509B55
                                                  APIs
                                                  • DispatchMessageA.USER32(1001176C), ref: 100116D4
                                                  • CallWindowProcA.USER32(?,?,?,?), ref: 10011714
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: CallDispatchMessageProcWindow
                                                  • String ID:
                                                  • API String ID: 3568206097-0
                                                  • Opcode ID: 4482fe2aa797ff1df0b8a016cfba6ab4f1edf6d8360ca980b76e75974128ba22
                                                  • Instruction ID: 63bf1ad0f6820a7cfc32d841282287ffa4cda79eab35e4a2f1e5c3704b1abdfe
                                                  • Opcode Fuzzy Hash: 4482fe2aa797ff1df0b8a016cfba6ab4f1edf6d8360ca980b76e75974128ba22
                                                  • Instruction Fuzzy Hash: AE21C775E40318EBDB00EF94DCC2A9DBBB1FB0D310F5040A5EA08AB351D371AA90DB52
                                                  APIs
                                                  • GetVersion.KERNEL32(?,005374C5,?,00536826,00000010,?,00000000,?,?,?,0053620D,00536270,00535AE6,00536213,00531617,005328BF), ref: 00537435
                                                  • InitializeCriticalSection.KERNEL32(007E6D70,?,005374C5,?,00536826,00000010,?,00000000,?,?,?,0053620D,00536270,00535AE6,00536213,00531617), ref: 0053745A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: CriticalInitializeSectionVersion
                                                  • String ID:
                                                  • API String ID: 385228656-0
                                                  • Opcode ID: 2aa879280d743eade02ac423614624d509a19727c54003ce25a34aa432af6193
                                                  • Instruction ID: e9e222bdcf74d6eb56c505cf4931f1ada33fc986afb03e80345785b03c638373
                                                  • Opcode Fuzzy Hash: 2aa879280d743eade02ac423614624d509a19727c54003ce25a34aa432af6193
                                                  • Instruction Fuzzy Hash: 04E0B6B599A26CCBEA219B04FD887983FB6B72C795F108005F402492A4C3B87845AE5D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID: 0-3916222277
                                                  • Opcode ID: 1d3d201b3cf0f4e34ced4be5fd0ab536c8b491c3572058b51f69840eb97b3778
                                                  • Instruction ID: 90b3556d9a436454375a3f12806074c3db2d9078b135128fdcdde92096655a79
                                                  • Opcode Fuzzy Hash: 1d3d201b3cf0f4e34ced4be5fd0ab536c8b491c3572058b51f69840eb97b3778
                                                  • Instruction Fuzzy Hash: 52C2B7B4F40346ABFB11CA94DCC2B9E77B0EB08390F214165F658FA2DAD7B15E408B56
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000000,00000000,?,?,?,100078F7,00000000,00000000,00000000), ref: 10002169
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000002,00000000,00000000,?,?,?,?,?,?,?,100078F7), ref: 1000222A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide
                                                  • String ID:
                                                  • API String ID: 626452242-0
                                                  • Opcode ID: e01d84eb64cce406f4b39f0ec6733233002c155c01e245fd4058cdbcce10abd4
                                                  • Instruction ID: e83377b6f6ad2707753203cfccfcc485ecbfcdf7635717af9e37d537513bb723
                                                  • Opcode Fuzzy Hash: e01d84eb64cce406f4b39f0ec6733233002c155c01e245fd4058cdbcce10abd4
                                                  • Instruction Fuzzy Hash: 29814D75E00209ABEF00DFD4DC86FEEBBB4EF08340F504065FA14BA285D7B5AA548B55
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D519,?), ref: 1001DD15
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: 9c37b9bfe50d47b947943e5bde51b1b3a93ad00f865aaf561d5891f7ad451c75
                                                  • Instruction ID: 7a99189caa79d54ac912ebbbba7bdc920c16141239c7c74b934a59564cf638f4
                                                  • Opcode Fuzzy Hash: 9c37b9bfe50d47b947943e5bde51b1b3a93ad00f865aaf561d5891f7ad451c75
                                                  • Instruction Fuzzy Hash: 2A6238B5E40348ABEB10DF94DC82F9DBBB5FF08344F244025F608BE292E7B5A9558B51
                                                  APIs
                                                  • PathFindFileNameA.SHLWAPI(00000000,?,00000000,00000000,00000000,00000000,0000001C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001C7F6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: FileFindNamePath
                                                  • String ID:
                                                  • API String ID: 1422272338-0
                                                  • Opcode ID: 6281f69430544266c8e70e44c834c9405fb1c3bbdf4b57ac0b35b949c557e014
                                                  • Instruction ID: f98056538ddd495e24e8dfbf0cad4fd33bc614c33abef30b02bddadc29e55c32
                                                  • Opcode Fuzzy Hash: 6281f69430544266c8e70e44c834c9405fb1c3bbdf4b57ac0b35b949c557e014
                                                  • Instruction Fuzzy Hash: 364240B5A40219ABEB00DF94ECC2F9EB7B4FF5C354F140025EA09BF241E775A9508B66
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D535,?), ref: 10025AFF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: 1d3983c04ef36cd81e02ff80b8e386635ef27858c32e0cbda266982c8d298185
                                                  • Instruction ID: ec57d409bd248faccfe3f0420db7539557fe035a6b0d78d3a35a1a7dfc2ec437
                                                  • Opcode Fuzzy Hash: 1d3983c04ef36cd81e02ff80b8e386635ef27858c32e0cbda266982c8d298185
                                                  • Instruction Fuzzy Hash: AC5208B5E00208ABEF01DF94EC82FDDBBB5FF08314F544029F614BA292D7B5A9548B65
                                                  APIs
                                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000000,00000000,00000000), ref: 1001D53E
                                                    • Part of subcall function 10001D56: IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: CodeLibraryLoad
                                                  • String ID:
                                                  • API String ID: 4269728939-0
                                                  • Opcode ID: 65fad49489424e2679975017eff27f475cb1f496b382636ee17d060b9eab1fb1
                                                  • Instruction ID: 8ca3c93d7244418e6012e556740facccd0f38a3c9c4ff1909e44a403dc44f6d3
                                                  • Opcode Fuzzy Hash: 65fad49489424e2679975017eff27f475cb1f496b382636ee17d060b9eab1fb1
                                                  • Instruction Fuzzy Hash: BC421AB5E40318AFEF50EF94DC82BDDBBB1FB08740F500125F618BA295D7B6A9808B55
                                                  APIs
                                                    • Part of subcall function 10028720: atoi.MSVCRT(00000000), ref: 1002877E
                                                  • RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 1000918C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: MemoryMoveatoi
                                                  • String ID:
                                                  • API String ID: 2867837884-0
                                                  • Opcode ID: f552e5f7024ba99e615796b6465fd8c68d714aa37df417cf295f447d032c11c8
                                                  • Instruction ID: c625aa631b3fd7664a23ceac8d029317df328e953ac31412f977eb30fe789f83
                                                  • Opcode Fuzzy Hash: f552e5f7024ba99e615796b6465fd8c68d714aa37df417cf295f447d032c11c8
                                                  • Instruction Fuzzy Hash: 1A023DB5A40216AFFB00DF94DCC1BAEB7A5FF58354F240025E905AB385E7B5B950CB22
                                                  APIs
                                                  • RtlMoveMemory.NTDLL(00000000), ref: 1000665A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: MemoryMove
                                                  • String ID:
                                                  • API String ID: 1951056069-0
                                                  • Opcode ID: eb4082b09fd2d382939d01306d0fc3fdf797f862dfdaeaedf174d431bc084b9e
                                                  • Instruction ID: de403b7ac96d81ad167a5567031b13b093eba99a0845d2f8fdd956dd85fb778c
                                                  • Opcode Fuzzy Hash: eb4082b09fd2d382939d01306d0fc3fdf797f862dfdaeaedf174d431bc084b9e
                                                  • Instruction Fuzzy Hash: 12B151B5A812969BFF00CF58DCC1B95B7E1EF69324B291470E846AF344D378B861DB21
                                                  APIs
                                                  • GetKeyboardLayoutList.USER32(00000040,?,00000000,00000000), ref: 10015BEE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: KeyboardLayoutList
                                                  • String ID:
                                                  • API String ID: 4253248152-0
                                                  • Opcode ID: 44a60376c71096be39f78b695e39bf06f4d8816049d5a531e66a3b74c91e060c
                                                  • Instruction ID: 3f0b898e91331e47705899626b39ccd446a255f5e12301d86a1815f33d743008
                                                  • Opcode Fuzzy Hash: 44a60376c71096be39f78b695e39bf06f4d8816049d5a531e66a3b74c91e060c
                                                  • Instruction Fuzzy Hash: 487158F6E00205AFEB00DFA4ECC2BAE77E5EF58251F540025E609EF341E775A9448B62
                                                  APIs
                                                  • LdrGetProcedureAddress.NTDLL(00000000,00000000,00000000), ref: 10006115
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: AddressProcedure
                                                  • String ID:
                                                  • API String ID: 3653107232-0
                                                  • Opcode ID: b0fdcc2e6f29255798221e87a4cc1c59c4c258f69b8f0650fd83bedbacb84739
                                                  • Instruction ID: 78c0987cb7ffc063797d9a6f9d393f2066e6151a443f59dc1fc5ba499ae867df
                                                  • Opcode Fuzzy Hash: b0fdcc2e6f29255798221e87a4cc1c59c4c258f69b8f0650fd83bedbacb84739
                                                  • Instruction Fuzzy Hash: 564146B5D40209AFEB00DFD4EC81BAEB7B5FF18314F244065E909AB245D375AA54CB62
                                                  APIs
                                                  • LdrGetDllHandleEx.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 1000B6DF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Handle
                                                  • String ID:
                                                  • API String ID: 2519475695-0
                                                  • Opcode ID: 9cc028ce4cef6fd72751e9c02f2673b6ffa45c8eaa4f1332740a5ce7082965a9
                                                  • Instruction ID: f5b1eeb52ae3afd7add8d8d659320dd3d1fa50eb2e7bb74abf840f5972d141ec
                                                  • Opcode Fuzzy Hash: 9cc028ce4cef6fd72751e9c02f2673b6ffa45c8eaa4f1332740a5ce7082965a9
                                                  • Instruction Fuzzy Hash: 6B312FF6D40205ABEB40DF94ECC2B9AB7F8FF18314F184065E90DAB341E375A9548B62
                                                  APIs
                                                  • RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ComputeCrc32
                                                  • String ID:
                                                  • API String ID: 660108262-0
                                                  • Opcode ID: 3b3c4a398f2c335a2580c0c2c9e01d6ed997776affae00ca87f118d2e0373c7b
                                                  • Instruction ID: 885f51156191be290847c32039febb9a430df116088fdaca21ba1fa0fc310e03
                                                  • Opcode Fuzzy Hash: 3b3c4a398f2c335a2580c0c2c9e01d6ed997776affae00ca87f118d2e0373c7b
                                                  • Instruction Fuzzy Hash: FE3149B5E00309BBEB51DFD49C82FBE77B8EF14740F104068FA18BA242D7B6A6509B51
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(00000000,00000100), ref: 10018935
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: DirectorySystem
                                                  • String ID:
                                                  • API String ID: 2188284642-0
                                                  • Opcode ID: 2c93ccefffdd24751a113a6a8b127da9d46669cbde7100af002d9a110044543e
                                                  • Instruction ID: ee8817d9cef94c28fb543e8b0ac086dfa591c469ffb5e13cc4bb05c5ca752fcb
                                                  • Opcode Fuzzy Hash: 2c93ccefffdd24751a113a6a8b127da9d46669cbde7100af002d9a110044543e
                                                  • Instruction Fuzzy Hash: 2F115875E00309BBEB40DEE49C42BAD76A8EB08754F241469F608FB241D771AB809756
                                                  APIs
                                                  • IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Code
                                                  • String ID:
                                                  • API String ID: 3609698214-0
                                                  • Opcode ID: a6e85c84f7705da1f0b0ef0dca21cf6d2d6468ef5f288cf7089c26cb1776d2a9
                                                  • Instruction ID: e6d0952806afafb3bf167878436ee8aac056beef16ad5c6831721f9da55ad4d1
                                                  • Opcode Fuzzy Hash: a6e85c84f7705da1f0b0ef0dca21cf6d2d6468ef5f288cf7089c26cb1776d2a9
                                                  • Instruction Fuzzy Hash: E8118B70900209FBEB60DF64CC05BED7BB4EF01390F2041AAED08AA1D4DB729A15DB85
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D4C9,?), ref: 10013C79
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: 8f3db6529a380ad884801686893290e76bb9e31a8db3e312d6667318ca493a2c
                                                  • Instruction ID: 374fef4b2e02d52e2e07c0ca9dad6c55ed4794edc6ac8ae58a0c039705d7fb64
                                                  • Opcode Fuzzy Hash: 8f3db6529a380ad884801686893290e76bb9e31a8db3e312d6667318ca493a2c
                                                  • Instruction Fuzzy Hash: CC0171B5E0020DABDB00FFE09D82BAEBBB9EB04301F404466F50876105EB71EA549B92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D50D,?), ref: 1001A092
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: 5f714afee4867c402fc67ecef455e1855603a07155a017b7538eac9aa4686da4
                                                  • Instruction ID: cb7720b851b721871b731c706f7cbe3d90cdbd700e2746e4ab45e97b10e25004
                                                  • Opcode Fuzzy Hash: 5f714afee4867c402fc67ecef455e1855603a07155a017b7538eac9aa4686da4
                                                  • Instruction Fuzzy Hash: 5C018DB5D00218ABDB11FFD09C82B9E77B8EB09341F804466F50476111D7719B988792
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D51D,00000040), ref: 100228E3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: 194b0fc893c5977093f79026a72dc70755a1496586ec811bd8de5678d100e2c9
                                                  • Instruction ID: c1b15002a30057ddc80440081b4ff6bc33ecde6fccf9cd62e387e343abd0d63a
                                                  • Opcode Fuzzy Hash: 194b0fc893c5977093f79026a72dc70755a1496586ec811bd8de5678d100e2c9
                                                  • Instruction Fuzzy Hash: DF014DB5D0021DFBEB10EFE0AC82B9E7778EB14644F904066F50466151EB719B549B91
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D3FD,08000000), ref: 10006CF7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: 23192da6ecbc83458441ebdd5d9c372dffc65ab0074d72a51acdd461767757be
                                                  • Instruction ID: 4cade7ef096b15f562c821cb4de08ab4d3fc558eeb9d0de8a70c828ff9c11a3c
                                                  • Opcode Fuzzy Hash: 23192da6ecbc83458441ebdd5d9c372dffc65ab0074d72a51acdd461767757be
                                                  • Instruction Fuzzy Hash: 170175B5E0020DEBEB00EFE0EC82FAE7B79EF04240F504066E51566105D771AB549B92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D481,00000000), ref: 1000FD11
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: 4a2eef44144669db4c1f9733a33db670b7915dec5e8fa15a72f47dd6e77bff96
                                                  • Instruction ID: 0aed2d4544eee8039acc50f3c1f3685790efcc1e5774387d789b9b1403c596f7
                                                  • Opcode Fuzzy Hash: 4a2eef44144669db4c1f9733a33db670b7915dec5e8fa15a72f47dd6e77bff96
                                                  • Instruction Fuzzy Hash: 9A0188B5D0430DABEB10FFE09C82FAE7779EB04280F40046BF505A6505DB71AA14EB92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D3E1,00000004), ref: 10003177
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: da42de84fdc45480a06cd4378e972f835c842b750d11b0a6ad2ad2daa698017b
                                                  • Instruction ID: 385097fba51063c84e9e930c69dc2d7aac367372f62906f312b1c310141ed2ce
                                                  • Opcode Fuzzy Hash: da42de84fdc45480a06cd4378e972f835c842b750d11b0a6ad2ad2daa698017b
                                                  • Instruction Fuzzy Hash: 40015275D00208E7EB01EFE09C92BEF7B78EB08280F404066E51566155DB71AA149B92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D485,00000000), ref: 1000FDAE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: 1a48310d62d447e18139df79d4c208d7064efbc4de3590175f6bd695f184c1e5
                                                  • Instruction ID: 3f7b499d2902c1e46d25e5c31060a7ca09a1136a131adf16b63838e7b32e6cd5
                                                  • Opcode Fuzzy Hash: 1a48310d62d447e18139df79d4c208d7064efbc4de3590175f6bd695f184c1e5
                                                  • Instruction Fuzzy Hash: 0B018875D0024CABEB00FFE0DC82EAE7779EB05380F50006AF505A6115DB716A54EB92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D43D,?), ref: 10008E04
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: afcca2c59449e325cff3936334e354c9cd28eb17edf5175cf760837ed83860e1
                                                  • Instruction ID: 4c97a0654b066084171f968f8b0ad47121c2de6078470ba5a976a0987d87b010
                                                  • Opcode Fuzzy Hash: afcca2c59449e325cff3936334e354c9cd28eb17edf5175cf760837ed83860e1
                                                  • Instruction Fuzzy Hash: EC0175B5D00219E7EB00FFE0EC82BAE7B78FB14240F504466F54566145EB716B549B92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D40D,00000008), ref: 10007E19
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: c28a3b2f2e25cb6acfcff6b005e4e53fcd9242a91f843676d212f9070d1610bf
                                                  • Instruction ID: 3b8a368ce3914a44cda768e978636fd60f477d925661c7c420499c797e447cb4
                                                  • Opcode Fuzzy Hash: c28a3b2f2e25cb6acfcff6b005e4e53fcd9242a91f843676d212f9070d1610bf
                                                  • Instruction Fuzzy Hash: 9B0171B5D00249ABEB00FFE0EC82AAEBB78FB04240F404466E60966115DB75AB549B92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D441,?), ref: 10008EA1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: b38c6ebf94637de38798da6e1c23dd87dd1bdd738f4a7bbe3db8cae8409ee598
                                                  • Instruction ID: 1686f6cdf9a679c1f5c84585fd33387023eb604c586a5dba44084a63d2e43e5f
                                                  • Opcode Fuzzy Hash: b38c6ebf94637de38798da6e1c23dd87dd1bdd738f4a7bbe3db8cae8409ee598
                                                  • Instruction Fuzzy Hash: 9C0171B5D00359ABEB10FFE0DC82BAEBB78FB04380F400066E64576115EB71AB54CB92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D47D,00000000), ref: 1000FAD0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: 2ecd14835ddfe2db98adf362f1cc27abc66221ca3baeee4228986d5531294eba
                                                  • Instruction ID: 82e752f980966cf0ba4425328bdbe0b5f15696934bb6f442517d9b0340b204dc
                                                  • Opcode Fuzzy Hash: 2ecd14835ddfe2db98adf362f1cc27abc66221ca3baeee4228986d5531294eba
                                                  • Instruction Fuzzy Hash: 510179B5E00209EBEB00FFE09C82AAEB778EB05240F504466F54566145EBB16654DB92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D521,00000000), ref: 10022AE1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: c21c2a8c4cec09cdedbb30eba6480203a51324f4c4c5902b1b0fefa990e6b838
                                                  • Instruction ID: 1a66ded8f8981fca5c39a2578b95296ca62aec53b1f76630b0cdbd515d7a4f8c
                                                  • Opcode Fuzzy Hash: c21c2a8c4cec09cdedbb30eba6480203a51324f4c4c5902b1b0fefa990e6b838
                                                  • Instruction Fuzzy Hash: D60175B5D00308BBDB11EFE0AC82FEEBB78EB14344F400066E90566501E7B56B14DB92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D4B9,10026CF1), ref: 10011EEA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: 387a02cd27c85a9e9645a962391e1fc87b5c3584c8544df15e9cc9309148cd0f
                                                  • Instruction ID: ae9516facd56fc145b0b9ba1995b908798816dd09d6beae3d77d7b55205b3fe1
                                                  • Opcode Fuzzy Hash: 387a02cd27c85a9e9645a962391e1fc87b5c3584c8544df15e9cc9309148cd0f
                                                  • Instruction Fuzzy Hash: AF0184B5E0420CABDB00FFE0EC82BEEBBB9EB04244F400466F5056A111DB75EA549B92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D525,00000000), ref: 10024745
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: 16372e4eb88579a8b12f2817b7d5f3197544eee2f9c96a83dd2f20b74f294324
                                                  • Instruction ID: 4f30fde94411f2541dcfd4e169ebb1e46575794177a9fc60b21b5106f81313a2
                                                  • Opcode Fuzzy Hash: 16372e4eb88579a8b12f2817b7d5f3197544eee2f9c96a83dd2f20b74f294324
                                                  • Instruction Fuzzy Hash: 1001D8B5D0431CA7DB00FFE0ACC2FAEBB78EB05300F810465E51566101EBB16A14DB92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D435,?), ref: 10008B88
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: c9e7b862b60fe74ed4fe71638f98d4edbead8bac7f3d7a8f9d653b4e1fb7c940
                                                  • Instruction ID: 91e5747cc3fe246938bda6916c84b67a4fdfd623eeedb860250414ba6297eca5
                                                  • Opcode Fuzzy Hash: c9e7b862b60fe74ed4fe71638f98d4edbead8bac7f3d7a8f9d653b4e1fb7c940
                                                  • Instruction Fuzzy Hash: 7B0171B5D0020DABEB50FFE49C82EAEBBB8FB04240F500466E54466115EB71AB14DB92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D411,?), ref: 1000839E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: 278c620e1e7e4d768f896ce18c2c498cb7bc6a05be8e6297497d5f0b97cf32e1
                                                  • Instruction ID: 31dc5b1c38583c82a0824eac09af333b299f07736d69ab93248bda9d1065cdb0
                                                  • Opcode Fuzzy Hash: 278c620e1e7e4d768f896ce18c2c498cb7bc6a05be8e6297497d5f0b97cf32e1
                                                  • Instruction Fuzzy Hash: 390175B5D04308A7EB40FFE09C82AAE7778FB04640F405476F54466145D771AB54CB92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D44D,00000000), ref: 1000B3B4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: 76ce89a9342da98fe2dfecb2c94b98527dad8150a52251657d2f7bd5707e59c8
                                                  • Instruction ID: a0f89ea6e8a02a489adc9b983919e457af64c69ca27a1623b1b8ea733fed46f6
                                                  • Opcode Fuzzy Hash: 76ce89a9342da98fe2dfecb2c94b98527dad8150a52251657d2f7bd5707e59c8
                                                  • Instruction Fuzzy Hash: 5F0184B5D0030CEBEB00FFE0AD92FAEBB78EB04240F504066F50466145DBB1AB54DB92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D4C5,00000014), ref: 10013804
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: df7046381827650c065037a5133842a2a86736d1ba20d916eef21a95625819b6
                                                  • Instruction ID: 3d49d6b3b442fbd771079eef3efcaca9525747ce25c9376b7200e1962427cb25
                                                  • Opcode Fuzzy Hash: df7046381827650c065037a5133842a2a86736d1ba20d916eef21a95625819b6
                                                  • Instruction Fuzzy Hash: 420152B5D04309A7EB00FFE09C82AAEB778EF04240F504066F50466151EB75AA54DB92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D439,?), ref: 10008C25
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: 1ec75bcf5a5c2b71d65e273564a3b3c9b1f3326e431629a853761c1f5ea93f69
                                                  • Instruction ID: e89bca5dfd4d69b457f6ee300803ba63458d7d33b5f739f05a8734b2afd2cb97
                                                  • Opcode Fuzzy Hash: 1ec75bcf5a5c2b71d65e273564a3b3c9b1f3326e431629a853761c1f5ea93f69
                                                  • Instruction Fuzzy Hash: 4C0171B5D00209ABEB00FFE49CC2EAEBB78FB04240F900466E55566116DB71AB549BA6
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D4D9,?), ref: 10014029
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: 2023bc8ebed8db9c71d14d41a16ae57d1e69fa0acd5bbe78306c23398d50d97a
                                                  • Instruction ID: 2564c689c805b87f96d1dc3a9772f8e9f463aef008d258d62ef8b45eff4f05b1
                                                  • Opcode Fuzzy Hash: 2023bc8ebed8db9c71d14d41a16ae57d1e69fa0acd5bbe78306c23398d50d97a
                                                  • Instruction Fuzzy Hash: 8E01D875D0030CA7DB11FFE09C82F9E7779EB08300F400026F615A7112DB75EA549B92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D409,00000001), ref: 10007C2B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: 61d08e19df0a214d9286b1d052d7edc03e2565f5d48c7273754c1c18bed95e81
                                                  • Instruction ID: c3b43e173740565f2226f67ccfeaefedf346a2cdf78e56352eac70fc933f1a03
                                                  • Opcode Fuzzy Hash: 61d08e19df0a214d9286b1d052d7edc03e2565f5d48c7273754c1c18bed95e81
                                                  • Instruction Fuzzy Hash: B0017575D0020CA7FB00FFE09C86F9EBB78FB14340F44446AE61966105E775AA549B92
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D52D,00000000), ref: 10025448
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: c904fddc6ddc8d15f4d357e5ecb68cc14fb2d08915d767a0cb86d415350261cd
                                                  • Instruction ID: 3e1362fdfd7180a89e2653fc66fb6b654d9ba0ea71b3ee1e512a707afa301e7c
                                                  • Opcode Fuzzy Hash: c904fddc6ddc8d15f4d357e5ecb68cc14fb2d08915d767a0cb86d415350261cd
                                                  • Instruction Fuzzy Hash: 730188B5D0021CA7DB00FFE0AC82B9EB7B8EB04345F904467F90566111D7B29A549B96
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D451,00000000), ref: 1000B451
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: 51b26b4892ccffcc6dc83c2534fb8f59ce223cf36af1d5fc13b3d33c47b94d86
                                                  • Instruction ID: 8d0e244bf49903d48fd7c686830ea074e98c76a4a96eec9f774984162f9bf409
                                                  • Opcode Fuzzy Hash: 51b26b4892ccffcc6dc83c2534fb8f59ce223cf36af1d5fc13b3d33c47b94d86
                                                  • Instruction Fuzzy Hash: BF0148B5D0431DABEB00FFE09C82FAEB778EB14340F904465F50566116EB71AB54DB92
                                                  APIs
                                                  • GetAncestor.USER32(100236B8,00000001,?,?,100236B8), ref: 1002371A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Ancestor
                                                  • String ID:
                                                  • API String ID: 4063365101-0
                                                  • Opcode ID: 0be6b4715263265285db1f468f36bdd37c7f824151cbff8a336d8021942bab24
                                                  • Instruction ID: eb8589c6fe16dd3324ac60df81f06840749ea93634a8b87ae7cb4ae9ae9ba44e
                                                  • Opcode Fuzzy Hash: 0be6b4715263265285db1f468f36bdd37c7f824151cbff8a336d8021942bab24
                                                  • Instruction Fuzzy Hash: C3F03CB4E44308EBDB10EF90E9467ADFB70EB06741F509065E6047B180E7B25A509A8A
                                                  APIs
                                                  • CreateMutexA.KERNEL32(00000000,00000000,00000001,00000001,00000000,00000000,00000001), ref: 100101C4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: CreateMutex
                                                  • String ID:
                                                  • API String ID: 1964310414-0
                                                  • Opcode ID: d12216730a6dd428996d56869a6fc80ed1219f4cbb400b599376012f3700107f
                                                  • Instruction ID: 16cce99742d90ffd21a6e538df0c97e42957f62968f0f4cbc8e65f9f29ad9446
                                                  • Opcode Fuzzy Hash: d12216730a6dd428996d56869a6fc80ed1219f4cbb400b599376012f3700107f
                                                  • Instruction Fuzzy Hash: D8F03970E45208FBDB21EF95DC02BADBB74EB05741F1080A5FA087A180D7B5AB509B95
                                                  APIs
                                                  • ReleaseMutex.KERNEL32(?,1000702C), ref: 1000635D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: MutexRelease
                                                  • String ID:
                                                  • API String ID: 1638419-0
                                                  • Opcode ID: 409f3bf5a2a7effd3d518b78c876aaf5ee200c7d662fef1c20eca6aafb3e8a79
                                                  • Instruction ID: 7b3213fa97c1f7abe5e99e727b00606adf76b996470ce0c1231a1946aded7527
                                                  • Opcode Fuzzy Hash: 409f3bf5a2a7effd3d518b78c876aaf5ee200c7d662fef1c20eca6aafb3e8a79
                                                  • Instruction Fuzzy Hash: 3AD017B0D45308B7E610AE90EC03B69BA34D706761F105161FA082A190E6B2AB2496DA
                                                  APIs
                                                  • HeapAlloc.KERNEL32(00000008,00000000), ref: 1000F7E5
                                                    • Part of subcall function 1000FA6F: InterlockedExchange.KERNEL32(1002D47D,00000000), ref: 1000FAD0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: AllocExchangeHeapInterlocked
                                                  • String ID:
                                                  • API String ID: 3051970009-0
                                                  • Opcode ID: 022b8115eb5ce5199829a80c414696cba4458c1422a7b80e9c996825c196cccc
                                                  • Instruction ID: 8cc4e7238832c14419a96c129bec8d194933ec370394a89dab4d823145446c67
                                                  • Opcode Fuzzy Hash: 022b8115eb5ce5199829a80c414696cba4458c1422a7b80e9c996825c196cccc
                                                  • Instruction Fuzzy Hash: 51310270D40209FEFB11DFA0CC02BEDBBB5FB04780F208169F614BA194DBB56A54AB55
                                                  APIs
                                                  • HeapAlloc.KERNEL32(00000008,?,?,10026C94), ref: 1000247B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: AllocHeap
                                                  • String ID:
                                                  • API String ID: 4292702814-0
                                                  • Opcode ID: 0dd204370fe18862268228c1c8de2b552e2688217c670dbeba92eeddf2ae1a81
                                                  • Instruction ID: 104a27a5d458cbbbe33f9f96244b29e3d4c33b82fd0089700704125604d1dba2
                                                  • Opcode Fuzzy Hash: 0dd204370fe18862268228c1c8de2b552e2688217c670dbeba92eeddf2ae1a81
                                                  • Instruction Fuzzy Hash: BDE08634D85308B7E610EF40DC03F29BA38E702751F508012FA083A090D6B25A649B87
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 81006eb9e473d180177001475ccb3f5d85a486848d635e7b77511459b26a50e2
                                                  • Instruction ID: b82dc38e16616ddd987b864122364eac5c1fff58b477e30fd6f02d7e5179368c
                                                  • Opcode Fuzzy Hash: 81006eb9e473d180177001475ccb3f5d85a486848d635e7b77511459b26a50e2
                                                  • Instruction Fuzzy Hash: 85721AB5E40309ABEB00DF94ECC2FDDBBB5EB0C354F644025F604BA296D7B269548B25
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e69f0c751b4262d556ab7d8e659c133a8de82433dc850d146ab5d350a12c39cd
                                                  • Instruction ID: 551f598227d6dd39184c223fb6ed838a91ab17f663f6174eca7434abf6d8a969
                                                  • Opcode Fuzzy Hash: e69f0c751b4262d556ab7d8e659c133a8de82433dc850d146ab5d350a12c39cd
                                                  • Instruction Fuzzy Hash: 40624CB5E41208BBEF11DFD0EC82BDDBBB5EF08354F204029F604BA291D7B5A9958B14
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6d84f2b69ea6095c90f23bd9b6d1a5a8279a6636e2ec472cfa5718089ee139e8
                                                  • Instruction ID: a5955423d14317f839d9afbcb2b9ced9374c1de9beecc9198591da7258e3e5d6
                                                  • Opcode Fuzzy Hash: 6d84f2b69ea6095c90f23bd9b6d1a5a8279a6636e2ec472cfa5718089ee139e8
                                                  • Instruction Fuzzy Hash: 5D32F7B1B412529BFB00CF58ECC0B59B7A5EFA9324F290074E946AF341D379B861DB61
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f04032a532c17935709fed7173e226e9a954ec38d62b032ac7340ce8b9de18a0
                                                  • Instruction ID: 3de84c3e889b2c0bc8bcd444dabd38468fbc88aeca599d708b385d83fa676b17
                                                  • Opcode Fuzzy Hash: f04032a532c17935709fed7173e226e9a954ec38d62b032ac7340ce8b9de18a0
                                                  • Instruction Fuzzy Hash: 8E22F8B2B812529BFB00CB58ECC0B55B7A5EFA5328F290474E9469F341D379F861DB21
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 060caa462227d063eaf04c7f21a9b9660bb70fdd2aceff3ad377bb009bd70efe
                                                  • Instruction ID: 2248021ac5db34a560a572e85a1c1eea5c01ad721331a673fc7f7bdbc18de49f
                                                  • Opcode Fuzzy Hash: 060caa462227d063eaf04c7f21a9b9660bb70fdd2aceff3ad377bb009bd70efe
                                                  • Instruction Fuzzy Hash: 90524471D00259CBEB20CFA4D8857DDBBB0FF48344F2180A4D599BB249DB756AA5CF90
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 09f72d9719a13788e266dacaba0ea585b20990d3c1d733c69aa7536c06bb4951
                                                  • Instruction ID: fa5432d9c06c826fba32fdae05fe74482de4f60f477d8ade94ddac0ef3f6a6e0
                                                  • Opcode Fuzzy Hash: 09f72d9719a13788e266dacaba0ea585b20990d3c1d733c69aa7536c06bb4951
                                                  • Instruction Fuzzy Hash: 602215B5E00309AFEF10CF94DC82BEEBBB0FF09354F204025EA14BA296D77569548B65
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 68d3902ef48eb2b0ea1e98523cf84d220f884a2bc31b4a3403d1743386bbda7f
                                                  • Instruction ID: 15cd058cb613ad93b2deb671447fd93daff6b1ebb966e0e7c4ee6c7ed785d811
                                                  • Opcode Fuzzy Hash: 68d3902ef48eb2b0ea1e98523cf84d220f884a2bc31b4a3403d1743386bbda7f
                                                  • Instruction Fuzzy Hash: BDA160B5E00209ABEB40DEE4DC85FDE7BB8EF08354F144065FA04AA241EB75EB94CB51
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7200f153caa90d48a9700c6273f72d88bef546347f9c4dfa1c1c74185b342bdd
                                                  • Instruction ID: 14e6b09ccae86c50f75a937e7e6fe01258ff4770b1647dfaac81a6f85d8f69f1
                                                  • Opcode Fuzzy Hash: 7200f153caa90d48a9700c6273f72d88bef546347f9c4dfa1c1c74185b342bdd
                                                  • Instruction Fuzzy Hash: 7A911EB5E0020AABEF10DF94DC85B9E7BB5EF18344F204025FA14BB281D775EB948B65
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f29243b0d0ea20511f4cb1106b1515d46eb23fc76d8db8d1afdd2d9a1039e213
                                                  • Instruction ID: 03d07b771d78d2ead9be031f4861621435dfbb7e08fb32216ea170559a01278e
                                                  • Opcode Fuzzy Hash: f29243b0d0ea20511f4cb1106b1515d46eb23fc76d8db8d1afdd2d9a1039e213
                                                  • Instruction Fuzzy Hash: 078123B5E4025AABEF00CF94ECC1B9DBBB4FF19310F640025E549BB245D775A851CB25
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bd0974059ae252d5b90eb8f6432f6ddda83af5d10b71b803c1f1bc6c84e1fa75
                                                  • Instruction ID: fa026d6154386471c9ed67b0d764591261ae5350a3fbb2125f892fb7990afb2f
                                                  • Opcode Fuzzy Hash: bd0974059ae252d5b90eb8f6432f6ddda83af5d10b71b803c1f1bc6c84e1fa75
                                                  • Instruction Fuzzy Hash: 7D7135B5E4125AABEF00DFA8ECC1B9DBBB4FF18310F650025E545BB241DB75A851CB21
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ObjectSelect
                                                  • String ID:
                                                  • API String ID: 1517587568-0
                                                  • Opcode ID: 355770622b8ee66c6704d228f7a4cf4399a8d1d5d808ebab5a82fa4d81647a92
                                                  • Instruction ID: 38d14c2f8622cd03f50353335eeab2373c5cbc47d148ebdcbde86e05c5d9d7ee
                                                  • Opcode Fuzzy Hash: 355770622b8ee66c6704d228f7a4cf4399a8d1d5d808ebab5a82fa4d81647a92
                                                  • Instruction Fuzzy Hash: 4E6134B1E40349ABEB10DFE4DC86FEF76F4EB05704F500425F615BA281D7B6AA848B52
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ComputeCrc32CreateMutex
                                                  • String ID:
                                                  • API String ID: 2647859408-0
                                                  • Opcode ID: fb765643ddb528c65f4c8254d2e67b215b37ca112bcddd59e63a3746b6e22e82
                                                  • Instruction ID: 6e8f39effab6ffe8abe8ce8b2f006d743ef601de1a83054572dbacb1371b805f
                                                  • Opcode Fuzzy Hash: fb765643ddb528c65f4c8254d2e67b215b37ca112bcddd59e63a3746b6e22e82
                                                  • Instruction Fuzzy Hash: FA611274E40319EBEB00EF91DC87BEEBB71EB05750F200026F6147A191D7B1AA51DB96
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 177ff9bcddc0062e541eb72a297809aa775245e2e6d8d1f130c2bdda6e790eca
                                                  • Instruction ID: b3edc6188f52fe0267c65f768a9f0694fa0e22adacd15ae2cea2a64ff053d747
                                                  • Opcode Fuzzy Hash: 177ff9bcddc0062e541eb72a297809aa775245e2e6d8d1f130c2bdda6e790eca
                                                  • Instruction Fuzzy Hash: E4512774E40316ABEB10CF94DC96FAE77B4EF04700F604019FA49BE291D7F59A948B92
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 999cff3d56ebaad1770f9eebce6b814e78184f0733c47f680aeb2efe81abf9bb
                                                  • Instruction ID: 3ff1e0272834ebdf1ae0fa1b74ff5d017005019b99e03679453d0ba0a45af6fd
                                                  • Opcode Fuzzy Hash: 999cff3d56ebaad1770f9eebce6b814e78184f0733c47f680aeb2efe81abf9bb
                                                  • Instruction Fuzzy Hash: E2512EB5D0021AABEB00DF94DCC1BAE77B4FF18314F140465E508EB301E775AA50CB62
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 848507941d9fbffb7cbc7b29cbefd203ef99eb4224134117eb04a7a1748b5fdf
                                                  • Instruction ID: 740361c2a2a7975ea98c5d6579f5497acae074faf2527958cbce1f24f1a7fcbb
                                                  • Opcode Fuzzy Hash: 848507941d9fbffb7cbc7b29cbefd203ef99eb4224134117eb04a7a1748b5fdf
                                                  • Instruction Fuzzy Hash: 84516B75E00209EBEB00CF94DC86FAE77F4EB05344F654055F914BE281E776DA948B62
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c551d9ee4e18ac04d199571815a8ce167b17ea29bf87976a5931350147ad1b07
                                                  • Instruction ID: 6e2a16805fa032cb188a6ab09911055340e312e86faa01d054a0585f1b90ccec
                                                  • Opcode Fuzzy Hash: c551d9ee4e18ac04d199571815a8ce167b17ea29bf87976a5931350147ad1b07
                                                  • Instruction Fuzzy Hash: 14312270D44609EBEF00EF80DC46BAEBB71EB06355F205169FA043A191D3B64A54DF9A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4f752ba2bd3efe35c0db813093cd95cfd95bebb34e1c0840b79ae46e9a3f7aa2
                                                  • Instruction ID: fcd9660d6a72fe45eefc1d8f4cbc8b5498bd8d2469cb5e857af72b9432f5bd19
                                                  • Opcode Fuzzy Hash: 4f752ba2bd3efe35c0db813093cd95cfd95bebb34e1c0840b79ae46e9a3f7aa2
                                                  • Instruction Fuzzy Hash: F3313575E40308AFEB50DF94DC82B9DBBB4EB0C741F504065F608EB745E7B59A409B52
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bcbbfe027ddbde3ca2b7ee6e7a9b101e6e640faf627c7a0eeba07689440a2c60
                                                  • Instruction ID: 0e6d90bd3a1296b327673a782b8a2de37a0e9d786c9d2f722c0ab1c87383cc98
                                                  • Opcode Fuzzy Hash: bcbbfe027ddbde3ca2b7ee6e7a9b101e6e640faf627c7a0eeba07689440a2c60
                                                  • Instruction Fuzzy Hash: 69317375E40308AFEB40DF94DC82B9EBBB4EB08340F504075E608EB696E3B56A409B52
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 918643da65e37feeb39471fc9b76e24dac407e2b29faf6ea47c3fc6075c6ae67
                                                  • Instruction ID: f5bd11c3930f14deff6542fe37b9d91d6d9d9f7f47c674184f68d859604aa839
                                                  • Opcode Fuzzy Hash: 918643da65e37feeb39471fc9b76e24dac407e2b29faf6ea47c3fc6075c6ae67
                                                  • Instruction Fuzzy Hash: 8821F975A04209EFEB41CF90CD82BAE77F8EB05754F244015B908BA181E7B5EAD09B62
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ef8a370add3d5418976353e0fc23bf6dee6b9d923330f9d60947765b51f42246
                                                  • Instruction ID: cb764db9af18425858f0870d561dcf750e8236d090e6b6f48ce3485ee4cf3179
                                                  • Opcode Fuzzy Hash: ef8a370add3d5418976353e0fc23bf6dee6b9d923330f9d60947765b51f42246
                                                  • Instruction Fuzzy Hash: 7E114634845224FBEA11FF90DC42B68BBA1E712345F215067F6042A0B5DBB2ADD6DA42
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 37003275f3eaa72a6ef67eca1d876927b20d3cea41f567a5b2a029eb66a1c75e
                                                  • Instruction ID: eeae7fc577553641f4f664837c49950aecc16b69e97dd8631aebf4018e73b438
                                                  • Opcode Fuzzy Hash: 37003275f3eaa72a6ef67eca1d876927b20d3cea41f567a5b2a029eb66a1c75e
                                                  • Instruction Fuzzy Hash: FA2137B090060AEAFB10DFA0C844BEEBAB8FB05380F204271F990A6198D7349AD5D754
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5e64809ee3449bf2a7df32ff2943633b8c15e644a62c7bb0cedcca55993e9baa
                                                  • Instruction ID: ba505964bce734d70dae5fb9ba97fd24188bee46f8c6b217aecce00d80479512
                                                  • Opcode Fuzzy Hash: 5e64809ee3449bf2a7df32ff2943633b8c15e644a62c7bb0cedcca55993e9baa
                                                  • Instruction Fuzzy Hash: C9112875D00208FBEF00DF90C84579DBBB0EB05345F508069F908AE290DB759B94DB91
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e2f1484a5e89f92b7548bae6589aecaccf6235fa81f97c2c0215c37c853ae1f6
                                                  • Instruction ID: 8996d56321af788ecdb48f59df6a7f6deac0e56e76c4d4795bf28b9d59f37b7c
                                                  • Opcode Fuzzy Hash: e2f1484a5e89f92b7548bae6589aecaccf6235fa81f97c2c0215c37c853ae1f6
                                                  • Instruction Fuzzy Hash: D3110975D0020DABEB00DFD0DC46BAEBBB8FF04704F104455F914BA190E7B2AB549B91
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dea71471854b7794d7273d518db6e4b972dc62c76027c577b271c860ea424262
                                                  • Instruction ID: aa05f780bf07b04a9dbad2cba23d858d9fb5007feb3f8ac9aeeac6949bb19c5c
                                                  • Opcode Fuzzy Hash: dea71471854b7794d7273d518db6e4b972dc62c76027c577b271c860ea424262
                                                  • Instruction Fuzzy Hash: 07015335980208FBEF11DFA1DD02BDEBB74EB00350F108022BA146E1A0D772DAA0ABC1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 621178d27eafce4a1d86bdd6d4636c6e0afcccb944ec7a99f9e7a057a9f1ad00
                                                  • Instruction ID: f86e8bef0b9f5b7b48e3b9b3acc0b6cb1fd06cabc4355fe6e2609782588421e0
                                                  • Opcode Fuzzy Hash: 621178d27eafce4a1d86bdd6d4636c6e0afcccb944ec7a99f9e7a057a9f1ad00
                                                  • Instruction Fuzzy Hash: B401EC7594020CBEEF11DF80DC42FEDBB79EB09740F108051FA046D091D7B29AA5AB95
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7397f0f5fb6be8bcaaa4e77a6887201b2645371ef3c2632b50f96f60a1aee293
                                                  • Instruction ID: e7353d8a689e469959c960a5bb5359493e28a0ae3a5db89d5c895ffd79e8d98e
                                                  • Opcode Fuzzy Hash: 7397f0f5fb6be8bcaaa4e77a6887201b2645371ef3c2632b50f96f60a1aee293
                                                  • Instruction Fuzzy Hash: 64F04970D00208FBEB10DF90CC06BADBFB0EB01341F204065F9007A1A0D7B6AB94DB85
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2d443f961325e826377ab455a3b784cc22cadc769fa486d24d41cd9801f717dc
                                                  • Instruction ID: 682ee749917f4e023bc7197140f76a097522797ecf20c1f45cbbd45c019d52a4
                                                  • Opcode Fuzzy Hash: 2d443f961325e826377ab455a3b784cc22cadc769fa486d24d41cd9801f717dc
                                                  • Instruction Fuzzy Hash: 3CF0FE74D44258EBDB14EE90D8057EDBA74E706305F504266EA04AE190D3B18BA4DB96
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7cdb49a0a6253429c80267c98a25499fd9d93a71a0b292b5a728f2a2f59ffa35
                                                  • Instruction ID: 02fc14b9e54e6900d73ffd4e28a19c8708dbe27031dd51c44bf3dba7fdb031ba
                                                  • Opcode Fuzzy Hash: 7cdb49a0a6253429c80267c98a25499fd9d93a71a0b292b5a728f2a2f59ffa35
                                                  • Instruction Fuzzy Hash: ECF05474A00308FBEB21CF94CD81B9CBBB0EF09300F2080E4FE0467381E6B15A509B51
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 19f0f76c576cdd84307bd26bd9b5886d4290dca15e1ac3f3f611f9243f0388a9
                                                  • Instruction ID: bbfaceb90791bb35eed418166a23c42ee1e6653db07919fbe020635ad9369783
                                                  • Opcode Fuzzy Hash: 19f0f76c576cdd84307bd26bd9b5886d4290dca15e1ac3f3f611f9243f0388a9
                                                  • Instruction Fuzzy Hash: B9F03975D00218EBDB00EE90D80ABAEBA78EB15301F100465EA086E190D3B59B54DA96
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 07f80700cc5210cda7409edc569743553da25c12f3afe71f335ab42793a68d5e
                                                  • Instruction ID: 33dc01a3c2299a3cd355405e5767cb27c6d7fba89f237eed4e622fd5132f0db0
                                                  • Opcode Fuzzy Hash: 07f80700cc5210cda7409edc569743553da25c12f3afe71f335ab42793a68d5e
                                                  • Instruction Fuzzy Hash: 5AE08C34D49308B7D610EF40AC87B28BA35E706701F505056FA043A090E7F2AA649A8A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 13fe8401390d9f71333325ae1b2cb84fa7ba5aa184835648c676b8c7a690914e
                                                  • Instruction ID: 761fadcd4debd2308a54b226b4f8dff580185d7010702b48f65d1b5b1071df53
                                                  • Opcode Fuzzy Hash: 13fe8401390d9f71333325ae1b2cb84fa7ba5aa184835648c676b8c7a690914e
                                                  • Instruction Fuzzy Hash: 66E08C34D45308B7D610EF50EC43B6CBB34E707700F108056FA083A1A0D7B29E60ABCA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 989ed4646566f77c2ab72184739a9137b5d7eae5940c08cbaa9d6fc56a31f36c
                                                  • Instruction ID: 1fae9ae4253266a87bc96311d46508b5db8f13d56845d8971887a42445dbbd4a
                                                  • Opcode Fuzzy Hash: 989ed4646566f77c2ab72184739a9137b5d7eae5940c08cbaa9d6fc56a31f36c
                                                  • Instruction Fuzzy Hash: 7DD05B70D45218F7DA10EF54AC03B39BB34D707761F205261FB143E1D5D6B25920D5DA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e24509eb4154e54e63d34a257df7f67858844c9b410712c520ef3551b56a8a9a
                                                  • Instruction ID: 2a9e0740773b8b6f5e110bd1e2332ab73de667f723c53b2bed2784798aa44a4a
                                                  • Opcode Fuzzy Hash: e24509eb4154e54e63d34a257df7f67858844c9b410712c520ef3551b56a8a9a
                                                  • Instruction Fuzzy Hash: 90B01232125BD44EC1038309C423B11B7ECE300D48F090090D451C7542C14CF610C494
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(?,00000001,?,00000001,?,?,?,?,?,?,00000000,007B7F28,00000000), ref: 004AD544
                                                  • LoadLibraryA.KERNEL32(?,00000001,00000000,00000001,?,?,00797D2C,?,?,?,?,?,?,00000000,007B7F28,00000000), ref: 004AD581
                                                  • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 004AD5B7
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,007B7F28,00000000), ref: 004AD5C2
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,007B7F28,00000000), ref: 004AD5D0
                                                  • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004AD6DD
                                                  • RegisterTypeLib.OLEAUT32(00000000,00000000), ref: 004AD712
                                                  • CLSIDFromString.COMBASE(00000000), ref: 004AD7D7
                                                  • UnRegisterTypeLib.OLEAUT32(?,00000000,00000000,00000000,00000001), ref: 004AD7F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: Library$LoadType$FreeRegister$AddressFromProcString
                                                  • String ID: DllRegisterServer$DllUnregisterServer
                                                  • API String ID: 2476498075-2931954178
                                                  • Opcode ID: ee017aa3a989e44d184c5b33d591371ca29acd9ba97336d712906367fd32b63d
                                                  • Instruction ID: 557722f6157f894cc1fa3c263f70a4a9e287569f971e11486f8614fe53dfc5bc
                                                  • Opcode Fuzzy Hash: ee017aa3a989e44d184c5b33d591371ca29acd9ba97336d712906367fd32b63d
                                                  • Instruction Fuzzy Hash: 82B1C3B590020AABDF14DFA4D845FEE7B78EF95314F108519F816A7381DB38AE05CB61
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(?), ref: 10029652
                                                  • LoadLibraryA.KERNEL32(?), ref: 1002965F
                                                  • wsprintfA.USER32 ref: 10029676
                                                  • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002968C
                                                    • Part of subcall function 10027B10: ExitProcess.KERNEL32 ref: 10027B25
                                                  • atoi.MSVCRT(?), ref: 100296CB
                                                  • strchr.MSVCRT ref: 10029703
                                                  • GetProcAddress.KERNEL32(00000000,00000040), ref: 10029721
                                                  • wsprintfA.USER32 ref: 10029739
                                                  • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002974F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
                                                  • String ID: DLL ERROR
                                                  • API String ID: 3187504500-4092134112
                                                  • Opcode ID: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                  • Instruction ID: 2d8d4974cead62a1b0d3c1b872151993aa02a2f76add0cb6c4d459240c98e11b
                                                  • Opcode Fuzzy Hash: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                  • Instruction Fuzzy Hash: 7E3139B26003529BE310EF74AC94F9BB7D8EB85340F904929FB09D3241EB75E919C7A5
                                                  APIs
                                                  • ??2@YAPAXI@Z.MSVCRT(?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000001), ref: 10028E9E
                                                  • strrchr.MSVCRT ref: 10028EC7
                                                  • RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 10028EE0
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 10028F03
                                                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,80000004,00000000,00000000,00000000), ref: 10028F26
                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F34
                                                  • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F3E
                                                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000), ref: 10028F5B
                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F8A
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000), ref: 10028F97
                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F9E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
                                                  • String ID:
                                                  • API String ID: 1380196384-0
                                                  • Opcode ID: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                  • Instruction ID: 11253f6a850e8c32f07a3e9f8fa5c0c7ac66a22cffc6c79301f50e11ea2e9c0e
                                                  • Opcode Fuzzy Hash: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                  • Instruction Fuzzy Hash: 304126792003055BE344DA78EC45E2B77D9EFC2660F950A2DF915C3281EE75EE0983A2
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00520A62,?,Microsoft Visual C++ Runtime Library,00012010,?,00787CC4,?,00787D14,?,?,?,Runtime Error!Program: ), ref: 005280F7
                                                  • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0052810F
                                                  • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00528120
                                                  • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0052812D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad
                                                  • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                  • API String ID: 2238633743-4044615076
                                                  • Opcode ID: 792fe3b800cfd1443a716b6eee4d08c378bb0ea973cca34aaa25e0474ff16657
                                                  • Instruction ID: fe99866abb1f60ea638e2dbaed267f5ea370de2e9a9f38f636c557b9de20cb51
                                                  • Opcode Fuzzy Hash: 792fe3b800cfd1443a716b6eee4d08c378bb0ea973cca34aaa25e0474ff16657
                                                  • Instruction Fuzzy Hash: 6C01B171606361AFC711AFF5BCC092B3EFCBB5EB907048429B200C72A1DE788856DB21
                                                  APIs
                                                  • LCMapStringW.KERNEL32(00000000,00000100,00787F4C,00000001,00000000,00000000,7556E860,007EAE84,?,?,?,0051C5DD,?,?,?,00000000), ref: 00523EA6
                                                  • LCMapStringA.KERNEL32(00000000,00000100,00787F48,00000001,00000000,00000000,?,?,0051C5DD,?,?,?,00000000,00000001), ref: 00523EC2
                                                  • LCMapStringA.KERNEL32(?,?,?,0051C5DD,?,?,7556E860,007EAE84,?,?,?,0051C5DD,?,?,?,00000000), ref: 00523F0B
                                                  • MultiByteToWideChar.KERNEL32(?,007EAE85,?,0051C5DD,00000000,00000000,7556E860,007EAE84,?,?,?,0051C5DD,?,?,?,00000000), ref: 00523F43
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,?,0051C5DD,?,00000000,?,?,0051C5DD,?), ref: 00523F9B
                                                  • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0051C5DD,?), ref: 00523FB1
                                                  • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0051C5DD,?), ref: 00523FE4
                                                  • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0051C5DD,?), ref: 0052404C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: String$ByteCharMultiWide
                                                  • String ID:
                                                  • API String ID: 352835431-0
                                                  • Opcode ID: 03464a17a04155d51b456ad515cb3a384b07b8bc9ca4ed0a0d9d8de2cc7ea127
                                                  • Instruction ID: 14ae6475db63bf7133f17c353231425956f6ea6306cbdbdd5336ea38a537395f
                                                  • Opcode Fuzzy Hash: 03464a17a04155d51b456ad515cb3a384b07b8bc9ca4ed0a0d9d8de2cc7ea127
                                                  • Instruction Fuzzy Hash: 8C516E31900269BFDF228F95ED459EE7FB9FF89750F204119F911A61A0C3398E50EBA1
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 005209AB
                                                  • GetStdHandle.KERNEL32(000000F4,00787CC4,00000000,00000000,00000000,?), ref: 00520A81
                                                  • WriteFile.KERNEL32(00000000), ref: 00520A88
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: File$HandleModuleNameWrite
                                                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                  • API String ID: 3784150691-4022980321
                                                  • Opcode ID: a3152ee3b1d9b7dfe6a1655b44ec816b37a27feb7052b77dc335693d61efc21a
                                                  • Instruction ID: 215f61d17169500977cafc0756946f24c0dd8b64cf281f06843306d0a5c72fcd
                                                  • Opcode Fuzzy Hash: a3152ee3b1d9b7dfe6a1655b44ec816b37a27feb7052b77dc335693d61efc21a
                                                  • Instruction Fuzzy Hash: 8031C8B2A01229AFEF20E760EC4AFAA7B7CBF96300F500555F445D60D2E674DA85CB61
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: %I64d$%lf
                                                  • API String ID: 0-1545097854
                                                  • Opcode ID: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                  • Instruction ID: a68653634a99df22c50c27c61c92b13d05d716d03379e836d9a088690611f418
                                                  • Opcode Fuzzy Hash: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                  • Instruction Fuzzy Hash: 0F516C7A5052424BD738D524BC85AEF73C4EBC0310FE08A2EFA59D21D1DE79DE458392
                                                  APIs
                                                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0051A8BF), ref: 00520392
                                                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0051A8BF), ref: 005203A6
                                                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0051A8BF), ref: 005203D2
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0051A8BF), ref: 0052040A
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0051A8BF), ref: 0052042C
                                                  • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0051A8BF), ref: 00520445
                                                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0051A8BF), ref: 00520458
                                                  • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00520496
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                  • String ID:
                                                  • API String ID: 1823725401-0
                                                  • Opcode ID: 9a7140e89ad0a5ea3e16bf55feeb579e3cf5f0ca86937572eec0c3b2da3b7e1b
                                                  • Instruction ID: fb79d8fa1e10e6d420733441b23eafa4e9304ae8f1472da1932fe1321c1c2cf7
                                                  • Opcode Fuzzy Hash: 9a7140e89ad0a5ea3e16bf55feeb579e3cf5f0ca86937572eec0c3b2da3b7e1b
                                                  • Instruction Fuzzy Hash: 1B31E9725062756F9F207F747CC483B7EACFE9A3587155929F685C31C3E6219C4092E1
                                                  APIs
                                                  • GetStringTypeW.KERNEL32(00000001,00787F4C,00000001,?,7556E860,007EAE84,?,?,0051C5DD,?,?,?,00000000,00000001), ref: 00527677
                                                  • GetStringTypeA.KERNEL32(00000000,00000001,00787F48,00000001,?,?,0051C5DD,?,?,?,00000000,00000001), ref: 00527691
                                                  • GetStringTypeA.KERNEL32(?,?,?,?,0051C5DD,7556E860,007EAE84,?,?,0051C5DD,?,?,?,00000000,00000001), ref: 005276C5
                                                  • MultiByteToWideChar.KERNEL32(?,007EAE85,?,?,00000000,00000000,7556E860,007EAE84,?,?,0051C5DD,?,?,?,00000000,00000001), ref: 005276FD
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0051C5DD,?), ref: 00527753
                                                  • GetStringTypeW.KERNEL32(?,?,00000000,0051C5DD,?,?,?,?,?,?,0051C5DD,?), ref: 00527765
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: StringType$ByteCharMultiWide
                                                  • String ID:
                                                  • API String ID: 3852931651-0
                                                  • Opcode ID: 36155b4ef131cccbe7d270390a2c51143a2deb1624e81bb878efece7493046cb
                                                  • Instruction ID: 597070c923135ded471687ec2f2f42941fe6199ac06a8cd849b2699ab23ac12b
                                                  • Opcode Fuzzy Hash: 36155b4ef131cccbe7d270390a2c51143a2deb1624e81bb878efece7493046cb
                                                  • Instruction Fuzzy Hash: 03415772604269AFCF209F99ED86DEA3FB9FF1A750F104825F901A6290C3359951DBA0
                                                  APIs
                                                  • TlsGetValue.KERNEL32(007E6BBC,007E6BAC,00000000,?,007E6BBC,?,005367E0,007E6BAC,00000000,?,00000000,005361F7,00535AE6,00536213,00531617,005328BF), ref: 00536583
                                                  • EnterCriticalSection.KERNEL32(007E6BD8,00000010,?,007E6BBC,?,005367E0,007E6BAC,00000000,?,00000000,005361F7,00535AE6,00536213,00531617,005328BF), ref: 005365D2
                                                  • LeaveCriticalSection.KERNEL32(007E6BD8,00000000,?,007E6BBC,?,005367E0,007E6BAC,00000000,?,00000000,005361F7,00535AE6,00536213,00531617,005328BF), ref: 005365E5
                                                  • LocalAlloc.KERNEL32(00000000,00000004,?,007E6BBC,?,005367E0,007E6BAC,00000000,?,00000000,005361F7,00535AE6,00536213,00531617,005328BF), ref: 005365FB
                                                  • LocalReAlloc.KERNEL32(?,00000004,00000002,?,007E6BBC,?,005367E0,007E6BAC,00000000,?,00000000,005361F7,00535AE6,00536213,00531617,005328BF), ref: 0053660D
                                                  • TlsSetValue.KERNEL32(007E6BBC,00000000), ref: 00536649
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: AllocCriticalLocalSectionValue$EnterLeave
                                                  • String ID:
                                                  • API String ID: 4117633390-0
                                                  • Opcode ID: 61805443c8a8351442137a9e57ac4b1c3be5a60a2bf153fc7916f80144d1d86d
                                                  • Instruction ID: 55b3d0f08750edec2ebc7dc7861caa6c1fcd96b1acc8a37fa5d869030241e0c2
                                                  • Opcode Fuzzy Hash: 61805443c8a8351442137a9e57ac4b1c3be5a60a2bf153fc7916f80144d1d86d
                                                  • Instruction Fuzzy Hash: 35314975100606BFDB24DF55D89AE66BBF8FB85350F00C92DF41687650EB70E919CB60
                                                  APIs
                                                  • GetVersionExA.KERNEL32 ref: 0052077F
                                                  • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 005207B4
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00520814
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentFileModuleNameVariableVersion
                                                  • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                  • API String ID: 1385375860-4131005785
                                                  • Opcode ID: 440fda4537c046cfba2bea620696646bd6015c4b57b438a01dae16c211dc6bbb
                                                  • Instruction ID: 38aebf5d356e5894bbc6bf709ec86e70be0d15cc57989b4e950530980520069d
                                                  • Opcode Fuzzy Hash: 440fda4537c046cfba2bea620696646bd6015c4b57b438a01dae16c211dc6bbb
                                                  • Instruction Fuzzy Hash: 55311172843268ADFB359770BC95AEA3F68BF13304F1824D5E085D61C3E2209EC6CB51
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 005370CD
                                                    • Part of subcall function 005371B9: lstrlenA.KERNEL32(00000104,00000000,?,005370FD), ref: 005371F0
                                                  • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0053716E
                                                  • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0053719B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: FileModuleNamelstrcatlstrcpylstrlen
                                                  • String ID: .HLP$.INI
                                                  • API String ID: 2421895198-3011182340
                                                  • Opcode ID: a4d06a7bac7cc6fda34b5e99f33207e8f5a8a1a8a0cc29b185e5dc38a4b6dd51
                                                  • Instruction ID: e21baaa892e7adcb7c9e64bd44f2f3cea0972943c681b03900931415b9a229f3
                                                  • Opcode Fuzzy Hash: a4d06a7bac7cc6fda34b5e99f33207e8f5a8a1a8a0cc29b185e5dc38a4b6dd51
                                                  • Instruction Fuzzy Hash: 893170B6904719AFDB21EB74D885BC6BBFCBB08300F10496AE599D3151EB70A9C4CB60
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8babf01c46c35fbcc378d5fe8ccf2c325347c6f407f1acf56345e987f9d358bb
                                                  • Instruction ID: 5e82fb5a3109f1ce10c0b3b49d9e5c7c6d445eea0027053399547625f7ede302
                                                  • Opcode Fuzzy Hash: 8babf01c46c35fbcc378d5fe8ccf2c325347c6f407f1acf56345e987f9d358bb
                                                  • Instruction Fuzzy Hash: 2EC1A6729042169FC714DF65D88197BB7E8EFA6308F04492EF85697301E738ED06CBA6
                                                  APIs
                                                  • GetStartupInfoA.KERNEL32(?), ref: 00520507
                                                  • GetFileType.KERNEL32(?,?,00000000), ref: 005205B2
                                                  • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00520615
                                                  • GetFileType.KERNEL32(00000000,?,00000000), ref: 00520623
                                                  • SetHandleCount.KERNEL32 ref: 0052065A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: FileHandleType$CountInfoStartup
                                                  • String ID:
                                                  • API String ID: 1710529072-0
                                                  • Opcode ID: 49c5755bbbd1fe718969dd2f4583fd18a80e01cda9d8f67e3f9765a0dde9514e
                                                  • Instruction ID: 1c29c3505451ad036d74a85143f1a6853d5efbc8c2edbe24c989332a4b615159
                                                  • Opcode Fuzzy Hash: 49c5755bbbd1fe718969dd2f4583fd18a80e01cda9d8f67e3f9765a0dde9514e
                                                  • Instruction Fuzzy Hash: 335149716022618FCB20CB28E8887697FE0FF57324F259A68D496CB2E2D734EC05CB51
                                                  APIs
                                                  • midiStreamStop.WINMM(?,00000000,-000001A5,00000000,004BECEA,00000000,007B7F28,004B4F26), ref: 004BF1B5
                                                  • midiOutReset.WINMM(?), ref: 004BF1D3
                                                  • WaitForSingleObject.KERNEL32(?,000007D0), ref: 004BF1F6
                                                  • midiStreamClose.WINMM(?), ref: 004BF233
                                                  • midiStreamClose.WINMM(?), ref: 004BF267
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: midi$Stream$Close$ObjectResetSingleStopWait
                                                  • String ID:
                                                  • API String ID: 3142198506-0
                                                  • Opcode ID: e50851e1c307558b88efe84799370cacadd9c741baf316fbf7b6c1d26342d3fc
                                                  • Instruction ID: 7629fc3d6dad16340d03b3c37b4ebdbbc5203353f4e310604fa90407f46a546f
                                                  • Opcode Fuzzy Hash: e50851e1c307558b88efe84799370cacadd9c741baf316fbf7b6c1d26342d3fc
                                                  • Instruction Fuzzy Hash: 01313E76200701CBCB249FA9D88459BB7F5FB94705B14893FE18AC6640C779DC498BA8
                                                  APIs
                                                  • GetLastError.KERNEL32(00000103,7FFFFFFF,0051CBD2,0051F4E7,00000000,?,?,00000000,00000001), ref: 005206CE
                                                  • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 005206DC
                                                  • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00520728
                                                    • Part of subcall function 0051CFC6: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,005206F1,00000001,00000074,?,?,00000000,00000001), ref: 0051D0BC
                                                  • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00520700
                                                  • GetCurrentThreadId.KERNEL32 ref: 00520711
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                  • String ID:
                                                  • API String ID: 2020098873-0
                                                  • Opcode ID: 974f7ae0e67cc05f8cce2190a4064026d72505ed4f72b4a836827af777de2bfc
                                                  • Instruction ID: 3dc7a79f620f1944263cadcde3bd7598e021e209c1ffff6266cc758edc579e4b
                                                  • Opcode Fuzzy Hash: 974f7ae0e67cc05f8cce2190a4064026d72505ed4f72b4a836827af777de2bfc
                                                  • Instruction Fuzzy Hash: 0DF02B366022225FD7312B30BC0DA5A7F31FF82771B144515F942953E1CF3098819A71
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(007E6D70,?,00000000,?,?,00536826,00000010,?,00000000,?,?,?,0053620D,00536270,00535AE6,00536213), ref: 005374F0
                                                  • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00536826,00000010,?,00000000,?,?,?,0053620D,00536270,00535AE6,00536213), ref: 00537502
                                                  • LeaveCriticalSection.KERNEL32(007E6D70,?,00000000,?,?,00536826,00000010,?,00000000,?,?,?,0053620D,00536270,00535AE6,00536213), ref: 0053750B
                                                  • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00536826,00000010,?,00000000,?,?,?,0053620D,00536270,00535AE6,00536213,00531617), ref: 0053751D
                                                    • Part of subcall function 00537422: GetVersion.KERNEL32(?,005374C5,?,00536826,00000010,?,00000000,?,?,?,0053620D,00536270,00535AE6,00536213,00531617,005328BF), ref: 00537435
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$Enter$InitializeLeaveVersion
                                                  • String ID: pm~
                                                  • API String ID: 1193629340-3428776083
                                                  • Opcode ID: ae40e1ac29874b1952d2015ba520e3995dc4929c57f54031180fce7413e0053e
                                                  • Instruction ID: 6ed2df4f9d0587cbb123f2fb6e156edad95f128ec528c9fcab73caf2ed5af041
                                                  • Opcode Fuzzy Hash: ae40e1ac29874b1952d2015ba520e3995dc4929c57f54031180fce7413e0053e
                                                  • Instruction Fuzzy Hash: 0BF0817560224EDFCF20DFA4FCC4856BB7DFB2C362B404426E60582011D734F459CA64
                                                  APIs
                                                  • wsprintfA.USER32 ref: 10027B78
                                                  • MessageBoxA.USER32(00000000,?,error,00000010), ref: 10027B8F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Messagewsprintf
                                                  • String ID: error$program internal error number is %d. %s
                                                  • API String ID: 300413163-3752934751
                                                  • Opcode ID: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                  • Instruction ID: e1549d366f44cd83cf328da68a9c66535f66093051f9031b2c984319b6cde580
                                                  • Opcode Fuzzy Hash: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                  • Instruction Fuzzy Hash: B9E092755002006BE344EBA4ECAAFAA33A8E708701FC0085EF34981180EBB1A9548616
                                                  APIs
                                                  • HeapAlloc.KERNEL32(00000000,00002020,007A91D0,007A91D0,?,?,00525188,00000000,00000010,00000000,00000009,00000009,?,0051C211,00000010,00000000), ref: 00524CDD
                                                  • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00525188,00000000,00000010,00000000,00000009,00000009,?,0051C211,00000010,00000000), ref: 00524D01
                                                  • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00525188,00000000,00000010,00000000,00000009,00000009,?,0051C211,00000010,00000000), ref: 00524D1B
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00525188,00000000,00000010,00000000,00000009,00000009,?,0051C211,00000010,00000000,?), ref: 00524DDC
                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,00525188,00000000,00000010,00000000,00000009,00000009,?,0051C211,00000010,00000000,?,00000000), ref: 00524DF3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual$FreeHeap
                                                  • String ID:
                                                  • API String ID: 714016831-0
                                                  • Opcode ID: e9afc61a88abe7da6a5d40d5ca0f396006408d0014514c19532cb76d0c12edbd
                                                  • Instruction ID: a1c36fb61aee3d953d60584b69bada95ba15593656a5d3dcb543d205850372e7
                                                  • Opcode Fuzzy Hash: e9afc61a88abe7da6a5d40d5ca0f396006408d0014514c19532cb76d0c12edbd
                                                  • Instruction Fuzzy Hash: C73100716417169BD3308F28FC49B21BBB4FB86B54F108A39E6559B2D0E778A810CF58
                                                  APIs
                                                  • midiStreamOpen.WINMM(-00000189,-00000161,00000001,004C0100,-000001A5,00030000,?,-000001A5,?,00000000), ref: 004BFB0B
                                                  • midiStreamProperty.WINMM ref: 004BFBF2
                                                  • midiOutPrepareHeader.WINMM(?,?,00000040,00000001,?,?,-000001A5,?,00000000), ref: 004BFD40
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: midi$Stream$HeaderOpenPrepareProperty
                                                  • String ID:
                                                  • API String ID: 2061886437-0
                                                  • Opcode ID: b9fe385853a206b0e19cd443e173e6668b6ad0f98898d5e6cc2783384e9c8bf8
                                                  • Instruction ID: 490a221eb9eb3a2d450a816272d402b48c87a160cdedb8f36bc3a2fdefa69af7
                                                  • Opcode Fuzzy Hash: b9fe385853a206b0e19cd443e173e6668b6ad0f98898d5e6cc2783384e9c8bf8
                                                  • Instruction Fuzzy Hash: 23A15BB52006068FC724DF28D894BAAB7F6FB84304F10492EE69AC7751EB35F959CB50
                                                  APIs
                                                  • malloc.MSVCRT ref: 10029FB3
                                                  • LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,?,?,000009DC,00000000,?,10028774,00000001,?), ref: 10029FE7
                                                  • free.MSVCRT ref: 10029FF6
                                                  • free.MSVCRT ref: 1002A014
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: free$Stringmalloc
                                                  • String ID:
                                                  • API String ID: 3576809655-0
                                                  • Opcode ID: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                  • Instruction ID: fe1f6c240ce4a888f48c4ee73cb5f64fbc811d22bf13276520b53d25543597c8
                                                  • Opcode Fuzzy Hash: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                  • Instruction Fuzzy Hash: 2311D27A2042042BD348DA78AC45E7BB3D9DBC5265FA0463EF226D22C1EE71ED094365
                                                  APIs
                                                  • GetVersion.KERNEL32 ref: 0051A84F
                                                    • Part of subcall function 005208A8: HeapCreate.KERNEL32(00000000,00001000,00000000,0051A887,00000001), ref: 005208B9
                                                    • Part of subcall function 005208A8: HeapDestroy.KERNEL32 ref: 005208F8
                                                  • GetCommandLineA.KERNEL32 ref: 0051A8AF
                                                  • GetStartupInfoA.KERNEL32(?), ref: 0051A8DA
                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0051A8FD
                                                    • Part of subcall function 0051A956: ExitProcess.KERNEL32 ref: 0051A973
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                  • String ID:
                                                  • API String ID: 2057626494-0
                                                  • Opcode ID: beafcfaabc616e5ab603c5abd7d47544d94231d53e3847d468593dd36544bc85
                                                  • Instruction ID: 0c5682f92a0ea5e7677c73f628dba2564fe3f00436a561b64aae1fa923127c79
                                                  • Opcode Fuzzy Hash: beafcfaabc616e5ab603c5abd7d47544d94231d53e3847d468593dd36544bc85
                                                  • Instruction Fuzzy Hash: 6D21B9718413569FEB04ABB4EC4EAAD7F78FF95710F104429F5019B2D2DB388880C761
                                                  APIs
                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000020,00000000,00000000,00000000,80000005), ref: 10028DC8
                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9), ref: 10028E07
                                                  • CloseHandle.KERNEL32(00000000,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E1A
                                                  • CloseHandle.KERNEL32(00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E35
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2719918789.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: CloseFileHandle$CreateWrite
                                                  • String ID:
                                                  • API String ID: 3602564925-0
                                                  • Opcode ID: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                  • Instruction ID: f6076fed0b983a52129b8cb4bf2c1cdfe7202da6017c1e667b93af5c44e6f27f
                                                  • Opcode Fuzzy Hash: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                  • Instruction Fuzzy Hash: 39118E36201301ABE710DF18ECC5F6BB7E8FB84714F550919FA6497290D370E90E8B66
                                                  APIs
                                                  • GetCPInfo.KERNEL32(?,00000000), ref: 0051FA33
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: Info
                                                  • String ID: $
                                                  • API String ID: 1807457897-3032137957
                                                  • Opcode ID: c1caa2e242e4cb58746d9e6031f43cb60e3ca87dc595769c353ba130a0442ae4
                                                  • Instruction ID: efacea20c57f77716f9e8e54182df7b98714f7195512478bc6f9794aaff18cd6
                                                  • Opcode Fuzzy Hash: c1caa2e242e4cb58746d9e6031f43cb60e3ca87dc595769c353ba130a0442ae4
                                                  • Instruction Fuzzy Hash: DA4136710092982AEB11D754DDA9FEB7FA8BB09700F1405F5D14ACB192C26D9A84DB63
                                                  APIs
                                                    • Part of subcall function 0051D76C: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0051A909,00000000), ref: 0051D79A
                                                  • __EH_prolog.LIBCMT ref: 0052A95B
                                                  • lstrcpynA.KERNEL32(?,?,00000104), ref: 0052AA48
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExceptionH_prologRaiselstrcpyn
                                                  • String ID: 0P~
                                                  • API String ID: 2915105959-3593223661
                                                  • Opcode ID: 9795e0877e213908e8a0eb8f6b1e4559d576fc43bf7096911f0e37b8e102f47a
                                                  • Instruction ID: 11964ec038b6d1fb56b5de4ffc8f657645d1f660792a87a7d179d72f8cc7fbd3
                                                  • Opcode Fuzzy Hash: 9795e0877e213908e8a0eb8f6b1e4559d576fc43bf7096911f0e37b8e102f47a
                                                  • Instruction Fuzzy Hash: E6417BB0A40705EFD721DF68D986B9BBFE4FF45304F00482EE59A97281C7B4A904CB61
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0052E240
                                                    • Part of subcall function 005322C4: __EH_prolog.LIBCMT ref: 005322C9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: V: $p]x
                                                  • API String ID: 3519838083-2989603785
                                                  • Opcode ID: f0227c2fcee936b192393de640c7880c91f85c31b688fa04a06b6268ba754f9f
                                                  • Instruction ID: d11b2d47369eec56131a460b5ce9866367b7b41ae4c86593c16d8386c3a799c9
                                                  • Opcode Fuzzy Hash: f0227c2fcee936b192393de640c7880c91f85c31b688fa04a06b6268ba754f9f
                                                  • Instruction Fuzzy Hash: CFF04C34640310E6DB24EF78A48B78E7FE4BF46710F10852DF417E21C1C7B88940C225
                                                  APIs
                                                  • HeapReAlloc.KERNEL32(00000000,?,00000000,00000000,005245E2,00000000,00000000,00000000,0051C1B3,00000000,00000000,?,00000000,00000000,00000000), ref: 00524842
                                                  • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,005245E2,00000000,00000000,00000000,0051C1B3,00000000,00000000,?,00000000,00000000,00000000), ref: 00524876
                                                  • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00524890
                                                  • HeapFree.KERNEL32(00000000,?), ref: 005248A7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: AllocHeap$FreeVirtual
                                                  • String ID:
                                                  • API String ID: 3499195154-0
                                                  • Opcode ID: dd516e508d91aa269cf24b3ae62aa8ae18910340de6c1f01e9f5b6f077060419
                                                  • Instruction ID: 0b6877c9f9a57186a36386d47a43c38ecb020450bd322db7b19f9b31eb0cbabb
                                                  • Opcode Fuzzy Hash: dd516e508d91aa269cf24b3ae62aa8ae18910340de6c1f01e9f5b6f077060419
                                                  • Instruction Fuzzy Hash: 5911CE31201380AFC7218F28FCC6D22BBB6FB893247108A19F162CA1F0C3B5A841DF55
                                                  APIs
                                                  • InitializeCriticalSection.KERNEL32(?,0052066B,?,0051A899), ref: 00522F48
                                                  • InitializeCriticalSection.KERNEL32(?,0052066B,?,0051A899), ref: 00522F50
                                                  • InitializeCriticalSection.KERNEL32(?,0052066B,?,0051A899), ref: 00522F58
                                                  • InitializeCriticalSection.KERNEL32(?,0052066B,?,0051A899), ref: 00522F60
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2716949684.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2716922543.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717055308.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717310863.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717333184.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717356987.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717378880.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717400572.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717420406.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717443373.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717463162.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2717584888.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: CriticalInitializeSection
                                                  • String ID:
                                                  • API String ID: 32694325-0
                                                  • Opcode ID: 760ed907b01beb358075eb1b4274c23e65fadbc6c71c3147581ec862651e528b
                                                  • Instruction ID: b962c39b7ccfd5f666ee45d125adeabced1e133feb6e9daf6046f5bdffd986ae
                                                  • Opcode Fuzzy Hash: 760ed907b01beb358075eb1b4274c23e65fadbc6c71c3147581ec862651e528b
                                                  • Instruction Fuzzy Hash: D3C00231805039EECAD16B55FD0584A3F77FB9A2657018063B104521309E651C10EFD6

                                                  Execution Graph

                                                  Execution Coverage:7.1%
                                                  Dynamic/Decrypted Code Coverage:56.1%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:610
                                                  Total number of Limit Nodes:20
                                                  execution_graph 22927 10027c00 GetProcessHeap HeapReAlloc HeapAlloc 22931 10027008 6 API calls 22933 10029610 FreeLibrary 22993 10026f15 21 API calls 22936 10027218 30 API calls 22937 10026c1e 22 API calls 22938 1001221f 70 API calls 22942 10026e2e 34 API calls 22998 10026f34 34 API calls 22999 10026d35 85 API calls 22945 100249fb 24 API calls 23001 4b5570 HeapFree 22946 10026c3d 21 API calls 22200 10027c40 22201 10027c86 22200->22201 22202 10027c4d 22200->22202 22203 10027c56 22202->22203 22204 10027c5b 22202->22204 22208 10027ae0 GetModuleHandleA 22203->22208 22204->22201 22206 10027c6b IsBadReadPtr 22204->22206 22206->22201 22207 10027c78 RtlFreeHeap 22206->22207 22207->22201 22208->22204 23005 4b5300 75 API calls 22209 10027a50 22210 10027a61 22209->22210 22211 10027a8a 22209->22211 22210->22211 22212 10027a64 22210->22212 22227 10026b52 ReleaseMutex 22211->22227 22221 10027aa0 GetProcessHeap 22212->22221 22215 10027a9b 22220 10027a85 22222 10027a6f 22221->22222 22223 10029790 22222->22223 22228 10027474 22223->22228 22226 10026b52 ReleaseMutex 22226->22220 22227->22215 22229 1002747c 22228->22229 22232 10018a96 22229->22232 22231 10027481 22231->22226 22233 10018aab 22232->22233 22236 10018ad3 22233->22236 22235 10018ab0 22235->22231 22237 10018aee 22236->22237 22283 10018eea CreateMutexA 22237->22283 22239 10018af3 22240 10018eea CreateMutexA 22239->22240 22241 10018afd HeapCreate 22240->22241 22242 10018b23 22241->22242 22243 10018b3a HeapCreate 22241->22243 22242->22243 22244 10018b60 22243->22244 22285 1000188f 22244->22285 22246 10018bc0 22291 1000b61e 22246->22291 22248 10018bdc 22249 1000188f 17 API calls 22248->22249 22250 10018c3b 22249->22250 22251 1000b61e 7 API calls 22250->22251 22252 10018c57 22251->22252 22253 1000188f 17 API calls 22252->22253 22254 10018cb6 22253->22254 22255 1000b61e 7 API calls 22254->22255 22256 10018cd2 22255->22256 22257 1000188f 17 API calls 22256->22257 22258 10018d31 22257->22258 22259 1000b61e 7 API calls 22258->22259 22260 10018d4d 22259->22260 22261 1000188f 17 API calls 22260->22261 22262 10018dac 22261->22262 22263 1000b61e 7 API calls 22262->22263 22264 10018dc8 22263->22264 22297 1000710e 22264->22297 22266 10018df2 22307 10018f34 22266->22307 22268 10018dfc 22321 100191e3 22268->22321 22270 10018e06 22333 1000ff10 22270->22333 22272 10018e37 22342 100114f9 22272->22342 22274 10018e43 22275 1000ff10 18 API calls 22274->22275 22276 10018e8f 22275->22276 22277 100114f9 18 API calls 22276->22277 22278 10018e9b 22277->22278 22348 10019f4c 22278->22348 22282 10018ecc 22282->22235 22284 10018f14 22283->22284 22284->22239 22290 100018bd 22285->22290 22286 10001ac2 22359 100283f0 22286->22359 22289 10001ae8 22289->22246 22290->22286 22386 10028090 _CIfmod 22290->22386 22292 1000b631 22291->22292 22398 1000b75c 22292->22398 22294 1000b65c 22295 1000b6cb LdrGetDllHandleEx 22294->22295 22296 1000b6ee 22295->22296 22296->22248 22298 10007121 22297->22298 22299 100071de GetVersionExA 22298->22299 22300 10007273 22299->22300 22421 10027ca0 22300->22421 22302 100072d2 22303 10007362 GetSystemInfo 22302->22303 22306 100074c6 22302->22306 22304 100073f5 22303->22304 22305 10007495 RtlGetNtVersionNumbers 22304->22305 22305->22306 22306->22266 22308 10018f4e 22307->22308 22310 10018f7e 22308->22310 22429 100289c0 22308->22429 22310->22268 22311 10018fad 22312 1000b61e 7 API calls 22311->22312 22313 10019053 22312->22313 22314 1000188f 17 API calls 22313->22314 22315 10019077 22314->22315 22316 10019081 22315->22316 22434 10006051 LdrGetProcedureAddress 22316->22434 22318 1001918a 22318->22310 22319 100190a4 22319->22318 22435 10001d56 IsBadCodePtr 22319->22435 22322 10019205 22321->22322 22324 10019212 22322->22324 22437 100188e1 22322->22437 22324->22270 22325 10019221 22442 100193c2 22325->22442 22327 100192bd 22328 100193c2 38 API calls 22327->22328 22329 10019331 22328->22329 22462 100198cc 25 API calls 22329->22462 22331 1001936a 22463 100198cc 25 API calls 22331->22463 22485 10027f20 22333->22485 22335 1000ff39 22336 10027f20 4 API calls 22335->22336 22337 1000ff58 22336->22337 22338 1000ffe0 RtlComputeCrc32 22337->22338 22339 10010003 22338->22339 22498 10010057 22339->22498 22341 10010034 22341->22272 22343 1001150f 22342->22343 22344 10011520 22342->22344 22345 1000188f 17 API calls 22343->22345 22346 10001d56 IsBadCodePtr 22344->22346 22345->22344 22347 1001161a 22346->22347 22347->22274 22349 10018ec7 22348->22349 22350 10019f74 22348->22350 22358 1001a236 47 API calls 22349->22358 22521 10019ff3 22350->22521 22354 10019fd3 22530 10007fdd 22354->22530 22356 10019fa2 22356->22354 22357 1001a0ce 21 API calls 22356->22357 22357->22356 22358->22282 22360 10028478 22359->22360 22361 1002840f 22359->22361 22362 10028483 22360->22362 22363 10028574 22360->22363 22385 10028674 22361->22385 22387 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22361->22387 22364 1002854f sprintf 22362->22364 22367 10028489 22362->22367 22365 100285f2 22363->22365 22366 1002857b 22363->22366 22375 1002849e 22364->22375 22370 1002862a sprintf 22365->22370 22371 100285f9 22365->22371 22368 100285ce sprintf 22366->22368 22369 1002857d 22366->22369 22373 10028517 22367->22373 22374 100284f9 22367->22374 22367->22375 22376 1002858f sprintf 22367->22376 22367->22385 22368->22375 22377 10028584 22369->22377 22378 100285ae sprintf 22369->22378 22370->22375 22379 10028604 sprintf 22371->22379 22371->22385 22389 10029dc0 6 API calls 22373->22389 22388 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22374->22388 22375->22385 22390 10027bb0 22375->22390 22376->22375 22377->22376 22377->22385 22378->22375 22379->22375 22381 10028469 22381->22289 22383 10028508 22383->22289 22385->22289 22386->22290 22387->22381 22388->22383 22389->22375 22391 10027bc4 RtlAllocateHeap 22390->22391 22392 10027bb9 GetProcessHeap 22390->22392 22393 10027bf5 22391->22393 22394 10027bd9 MessageBoxA 22391->22394 22392->22391 22393->22385 22397 10027b10 ExitProcess 22394->22397 22396 10027bf2 22396->22393 22397->22396 22399 1000b76f 22398->22399 22402 1000210d 22399->22402 22401 1000b7c1 22401->22294 22403 1000212e 22402->22403 22404 10002149 MultiByteToWideChar 22403->22404 22405 10002178 22404->22405 22413 100021b9 22405->22413 22414 100280c0 22405->22414 22407 100021dc 22408 1000220e MultiByteToWideChar 22407->22408 22409 10002239 22408->22409 22409->22413 22419 100286c0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22409->22419 22411 100022ce 22411->22413 22420 100286f0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22411->22420 22413->22401 22415 100280c9 22414->22415 22416 100280cd 22414->22416 22415->22407 22417 10027bb0 4 API calls 22416->22417 22418 100280d6 22417->22418 22418->22407 22419->22411 22420->22413 22422 10027cb1 22421->22422 22423 10027cb6 22421->22423 22428 10027ae0 GetModuleHandleA 22422->22428 22425 10027d14 22423->22425 22426 10027bb0 4 API calls 22423->22426 22425->22302 22427 10027cf9 22426->22427 22427->22302 22428->22423 22430 100289c9 22429->22430 22431 100289cd 22429->22431 22430->22311 22432 10027bb0 4 API calls 22431->22432 22433 100289d8 22432->22433 22433->22311 22434->22319 22436 10001d82 22435->22436 22436->22318 22438 100289c0 4 API calls 22437->22438 22439 1001890c 22438->22439 22440 10018926 GetSystemDirectoryA 22439->22440 22441 10018944 22440->22441 22441->22325 22443 100193ea 22442->22443 22464 100294c0 22443->22464 22445 10019463 22446 1001947d CopyFileA 22445->22446 22447 100194a0 22446->22447 22471 10028d40 CreateFileA 22447->22471 22449 100194da 22450 10028d40 8 API calls 22449->22450 22451 10019550 22449->22451 22450->22451 22476 10028e50 DeleteFileA 22451->22476 22453 1001959d 22477 10006495 22453->22477 22455 100195b3 22456 100195e3 RtlAllocateHeap 22455->22456 22459 10019832 22455->22459 22457 1001960e 22456->22457 22483 10008edd 26 API calls 22457->22483 22459->22327 22461 1001966e 22484 100094fb 26 API calls 22461->22484 22462->22331 22463->22324 22465 100294d1 GetTempPathA 22464->22465 22466 100294e5 22464->22466 22465->22466 22467 10029543 GetTickCount wsprintfA PathFileExistsA 22466->22467 22467->22467 22468 1002956b 22467->22468 22469 10027bb0 4 API calls 22468->22469 22470 1002957f 22469->22470 22470->22445 22472 10028d64 GetFileSize 22471->22472 22473 10028da9 22471->22473 22474 10027bb0 4 API calls 22472->22474 22473->22449 22475 10028d7d ReadFile CloseHandle 22474->22475 22475->22473 22476->22453 22478 100064ad 22477->22478 22479 1000652f RtlMoveMemory 22478->22479 22482 1000679e 22478->22482 22480 10006669 22479->22480 22481 10027ca0 5 API calls 22480->22481 22481->22482 22482->22455 22483->22461 22484->22459 22486 10027f40 22485->22486 22488 10027f80 22486->22488 22489 10027f4c 22486->22489 22487 10027feb 22487->22335 22488->22487 22490 10027fc2 22488->22490 22491 10027f9b 22488->22491 22506 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22489->22506 22508 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22490->22508 22507 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22491->22507 22494 10027fb8 22494->22335 22495 10027f76 22495->22335 22497 10027fe1 22497->22335 22499 1001006f 22498->22499 22500 100283f0 16 API calls 22499->22500 22501 10010097 22500->22501 22509 10028ad0 22501->22509 22503 100100cc 22516 10028b30 22503->22516 22505 10010173 22505->22341 22506->22495 22507->22494 22508->22497 22510 10028b23 22509->22510 22511 10028ae4 22509->22511 22510->22503 22511->22510 22512 10027bb0 4 API calls 22511->22512 22513 10028afa 22512->22513 22514 10028b05 strncpy 22513->22514 22515 10028b19 22513->22515 22514->22514 22514->22515 22515->22503 22517 10028b91 22516->22517 22518 10028b45 22516->22518 22517->22505 22518->22517 22519 10027bb0 4 API calls 22518->22519 22520 10028b68 22519->22520 22520->22505 22522 1001a00d 22521->22522 22535 1001a031 22522->22535 22525 1001a0ce 22526 10027f20 4 API calls 22525->22526 22527 1001a0f7 22526->22527 22550 1001a199 22527->22550 22529 1001a16d 22529->22356 22531 100280c0 4 API calls 22530->22531 22532 1000800f 22531->22532 22561 10007db8 22532->22561 22534 10008052 22534->22349 22536 1001a047 22535->22536 22537 1001a0a1 22535->22537 22538 1000188f 17 API calls 22536->22538 22545 10004b1b 22537->22545 22540 1001a058 22538->22540 22549 100031b3 6 API calls 22540->22549 22541 10019f88 22541->22349 22541->22525 22543 1001a074 22544 1001a087 InterlockedExchange 22543->22544 22544->22537 22546 10004b3d 22545->22546 22547 10004b2e 22545->22547 22546->22547 22548 10004baa LdrInitializeThunk 22546->22548 22547->22541 22548->22541 22549->22543 22551 1001a209 22550->22551 22552 1001a1af 22550->22552 22553 10004b1b LdrInitializeThunk 22551->22553 22554 1000188f 17 API calls 22552->22554 22555 1001a22b 22553->22555 22556 1001a1c0 22554->22556 22555->22529 22560 100031b3 6 API calls 22556->22560 22558 1001a1dc 22559 1001a1ef InterlockedExchange 22558->22559 22559->22551 22560->22558 22562 10007dce 22561->22562 22570 10007e28 22561->22570 22563 1000188f 17 API calls 22562->22563 22567 10007ddf 22563->22567 22564 10004b1b LdrInitializeThunk 22565 10007e4a 22564->22565 22565->22534 22571 100031b3 6 API calls 22567->22571 22568 10007dfb 22569 10007e0e InterlockedExchange 22568->22569 22569->22570 22570->22564 22571->22568 22950 10027050 62 API calls 23006 10011753 DispatchMessageA CallWindowProcA 22951 4ac610 GetProcessHeap HeapFree 23012 4b5320 85 API calls 22955 1002706f 46 API calls 23013 10026d73 88 API calls 23014 10026b71 23 API calls 23016 1002572d 23 API calls 22572 51c127 22575 51c139 22572->22575 22576 51c136 22575->22576 22578 51c140 22575->22578 22578->22576 22579 51c165 22578->22579 22580 51c192 22579->22580 22582 51c1d5 22579->22582 22585 51c1c0 22580->22585 22597 522f64 29 API calls 22580->22597 22582->22585 22586 51c1f7 22582->22586 22583 51c1a8 22598 524511 HeapReAlloc HeapAlloc VirtualAlloc HeapFree VirtualAlloc 22583->22598 22584 51c244 RtlAllocateHeap 22588 51c1c7 22584->22588 22585->22584 22585->22588 22600 522f64 29 API calls 22586->22600 22588->22578 22590 51c1b3 22599 51c1cc LeaveCriticalSection 22590->22599 22591 51c1fe 22601 524fb4 6 API calls 22591->22601 22594 51c211 22602 51c22b LeaveCriticalSection 22594->22602 22596 51c21e 22596->22585 22596->22588 22597->22583 22598->22590 22599->22585 22600->22591 22601->22594 22602->22596 22603 51a829 GetVersion 22635 5208a8 HeapCreate 22603->22635 22605 51a887 22606 51a894 22605->22606 22607 51a88c 22605->22607 22647 520665 37 API calls 22606->22647 22655 51a956 8 API calls 22607->22655 22611 51a899 22612 51a8a5 22611->22612 22613 51a89d 22611->22613 22648 5204a9 34 API calls 22612->22648 22656 51a956 8 API calls 22613->22656 22617 51a8af GetCommandLineA 22649 520377 37 API calls 22617->22649 22619 51a8bf 22657 52012a 49 API calls 22619->22657 22621 51a8c9 22650 520071 48 API calls 22621->22650 22623 51a8ce 22624 51a8d3 GetStartupInfoA 22623->22624 22651 520019 48 API calls 22624->22651 22626 51a8e5 22627 51a8ee 22626->22627 22628 51a8f7 GetModuleHandleA 22627->22628 22652 52a18e 22628->22652 22632 51a912 22659 51fea1 36 API calls 22632->22659 22634 51a923 22636 5208c8 22635->22636 22637 5208fe 22635->22637 22660 520760 57 API calls 22636->22660 22637->22605 22639 5208cd 22640 5208d7 22639->22640 22641 5208e4 22639->22641 22661 524175 HeapAlloc 22640->22661 22642 520901 22641->22642 22662 524cbc HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 22641->22662 22642->22605 22645 5208e1 22645->22642 22646 5208f2 HeapDestroy 22645->22646 22646->22637 22647->22611 22648->22617 22649->22619 22650->22623 22651->22626 22663 5328b4 22652->22663 22657->22621 22658 51efd4 32 API calls 22658->22632 22659->22634 22660->22639 22661->22645 22662->22645 22672 531612 22663->22672 22670 51a909 22670->22658 22694 53620e 22672->22694 22675 531623 22677 5361e8 22675->22677 22676 5361e8 65 API calls 22676->22675 22678 536770 65 API calls 22677->22678 22679 5361f7 22678->22679 22680 5328c6 22679->22680 22723 536805 22679->22723 22682 537039 SetErrorMode SetErrorMode 22680->22682 22683 5361e8 65 API calls 22682->22683 22684 537050 22683->22684 22685 5361e8 65 API calls 22684->22685 22686 53705f 22685->22686 22687 537085 22686->22687 22731 53709c 22686->22731 22689 5361e8 65 API calls 22687->22689 22690 53708a 22689->22690 22691 5328de 22690->22691 22750 531627 22690->22750 22693 537860 68 API calls 22691->22693 22693->22670 22695 5361e8 65 API calls 22694->22695 22696 536213 22695->22696 22699 536770 22696->22699 22700 5367a6 TlsGetValue 22699->22700 22701 536779 22699->22701 22702 5367b9 22700->22702 22707 536793 22701->22707 22720 536370 65 API calls 22701->22720 22705 531617 22702->22705 22708 5367cc 22702->22708 22704 5367a4 22704->22700 22705->22675 22705->22676 22710 536409 EnterCriticalSection 22707->22710 22721 536578 65 API calls 22708->22721 22711 536428 22710->22711 22713 536462 GlobalAlloc 22711->22713 22714 536475 GlobalHandle GlobalUnlock GlobalReAlloc 22711->22714 22719 5364e4 22711->22719 22712 5364f9 LeaveCriticalSection 22712->22704 22715 536497 22713->22715 22714->22715 22716 5364c0 GlobalLock 22715->22716 22717 5364a5 GlobalHandle GlobalLock LeaveCriticalSection 22715->22717 22716->22719 22722 52a924 65 API calls __EH_prolog 22717->22722 22719->22712 22720->22707 22721->22705 22722->22716 22724 53680f __EH_prolog 22723->22724 22725 53683d 22724->22725 22729 5374b5 6 API calls 22724->22729 22725->22680 22727 536826 22730 537525 LeaveCriticalSection 22727->22730 22729->22727 22730->22725 22732 5361e8 65 API calls 22731->22732 22733 5370af GetModuleFileNameA 22732->22733 22761 51c7f7 22733->22761 22735 5370e1 22767 5371b9 lstrlenA lstrcpynA 22735->22767 22737 5370fd 22738 537113 22737->22738 22772 51ef7c 29 API calls 22737->22772 22749 53714d 22738->22749 22768 53219a 22738->22768 22741 537165 lstrcpyA 22774 51ef7c 29 API calls 22741->22774 22742 53718f lstrcatA 22775 51ef7c 29 API calls 22742->22775 22744 537180 22744->22742 22747 5371ad 22744->22747 22747->22687 22749->22741 22749->22744 22751 5361e8 65 API calls 22750->22751 22752 53162c 22751->22752 22753 531684 22752->22753 22778 535fb6 22752->22778 22753->22691 22756 536805 7 API calls 22757 531662 22756->22757 22758 53166f 22757->22758 22760 5361e8 65 API calls 22757->22760 22759 536770 65 API calls 22758->22759 22759->22753 22760->22758 22762 51c814 22761->22762 22764 51c805 22761->22764 22776 522f64 29 API calls 22762->22776 22764->22735 22765 51c81c 22777 522fc5 LeaveCriticalSection 22765->22777 22767->22737 22769 5361e8 65 API calls 22768->22769 22770 5321a0 LoadStringA 22769->22770 22771 5321bb 22770->22771 22773 51ef7c 29 API calls 22771->22773 22772->22738 22773->22749 22774->22744 22775->22747 22776->22765 22777->22764 22779 536770 65 API calls 22778->22779 22780 531638 GetCurrentThreadId SetWindowsHookExA 22779->22780 22780->22756 22957 10026c7b HeapAlloc 23018 10026f7c 45 API calls 22961 1002708e 33 API calls 23022 10027192 59 API calls 23025 10026f9b 23 API calls 22964 10026e99 89 API calls 22967 100274b1 10 API calls 23030 51efe5 32 API calls 22968 535ae6 65 API calls __EH_prolog 22970 1002a472 __CxxFrameHandler 22971 10026eb8 90 API calls 22972 10026cb9 23 API calls 22975 51d694 RtlUnwind 22976 1001a595 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23033 10026dc5 30 API calls 23034 4ac780 67 API calls 22781 4b4f80 22784 4b4f60 22781->22784 22787 4accc0 22784->22787 22786 4b4f71 22788 4acceb 22787->22788 22789 4acd83 22787->22789 22791 4acd0a 22788->22791 22792 4acd13 GetProcAddress 22788->22792 22790 4ad01c 22789->22790 22793 4acdb1 22789->22793 22866 51b4b8 6 API calls 22789->22866 22790->22786 22862 51b4b8 6 API calls 22791->22862 22797 4acd33 22792->22797 22798 4acd66 22792->22798 22806 4aceef 22793->22806 22809 4acddc 22793->22809 22863 4b6440 32 API calls 22797->22863 22865 4acca0 35 API calls 22798->22865 22801 4acef4 LoadLibraryA 22804 4acf04 GetProcAddress 22801->22804 22801->22806 22802 4acd43 22864 4ad090 75 API calls 22802->22864 22803 4acd6d 22803->22786 22804->22806 22806->22801 22810 4acf4a 22806->22810 22811 4acf36 FreeLibrary 22806->22811 22807 4acd55 22812 52c8d4 32 API calls 22807->22812 22808 4aceba LoadLibraryA 22808->22810 22815 4acec7 GetProcAddress 22808->22815 22809->22808 22813 4ace08 22809->22813 22814 4ace30 22809->22814 22810->22790 22817 4acf5f FreeLibrary 22810->22817 22818 4acf66 22810->22818 22811->22806 22812->22798 22816 52cb1d 35 API calls 22813->22816 22849 52cb1d 22814->22849 22815->22810 22820 4aced7 22815->22820 22821 4ace14 LoadLibraryA 22816->22821 22817->22818 22827 4acfca 22818->22827 22828 4acf77 22818->22828 22820->22810 22824 52c8d4 32 API calls 22821->22824 22823 52cb1d 35 API calls 22825 4ace5a LoadLibraryA 22823->22825 22826 4ace24 22824->22826 22857 52c8d4 22825->22857 22826->22814 22826->22815 22869 4b6440 32 API calls 22827->22869 22867 4b6440 32 API calls 22828->22867 22832 4acf8c 22868 4ad090 75 API calls 22832->22868 22834 4acfde 22870 4ad090 75 API calls 22834->22870 22836 52c8d4 32 API calls 22839 4ace7b 22836->22839 22838 4acfa3 22841 52c8d4 32 API calls 22838->22841 22839->22815 22844 4aceb2 22839->22844 22846 52cb1d 35 API calls 22839->22846 22840 4acff5 22842 52c8d4 32 API calls 22840->22842 22843 4acfb4 22841->22843 22845 4ad006 22842->22845 22843->22786 22844->22808 22844->22815 22845->22786 22847 4acea2 LoadLibraryA 22846->22847 22848 52c8d4 32 API calls 22847->22848 22848->22844 22850 52cb27 __EH_prolog 22849->22850 22851 52cb42 22850->22851 22852 52cb46 lstrlenA 22850->22852 22871 52ca79 22851->22871 22852->22851 22854 52cb64 22855 52c8d4 32 API calls 22854->22855 22856 4ace46 22855->22856 22856->22823 22858 52c8e4 InterlockedDecrement 22857->22858 22859 4ace6a 22857->22859 22858->22859 22860 52c8f2 22858->22860 22859->22836 22892 52c7c3 22860->22892 22862->22792 22863->22802 22864->22807 22865->22803 22866->22793 22867->22832 22868->22838 22869->22834 22870->22840 22872 52ca93 22871->22872 22873 52ca8d 22871->22873 22872->22854 22875 52c741 22873->22875 22878 52c756 22875->22878 22879 52c74d 22875->22879 22876 52c75e 22882 51a6ad 22876->22882 22878->22876 22880 52c79d 22878->22880 22879->22872 22889 52c615 29 API calls 22880->22889 22890 51e094 22882->22890 22884 51a6b7 EnterCriticalSection 22885 51a6d5 22884->22885 22886 51a706 LeaveCriticalSection 22884->22886 22891 52c0fe 29 API calls 22885->22891 22886->22879 22888 51a6e7 22888->22886 22889->22879 22890->22884 22891->22888 22893 52c7cb 22892->22893 22895 52c7d7 22892->22895 22903 51a73c EnterCriticalSection LeaveCriticalSection 22893->22903 22895->22893 22897 52c804 22895->22897 22896 52c7d6 22896->22859 22900 52c63e 22897->22900 22904 51c03e 22900->22904 22903->22896 22905 51c118 22904->22905 22906 51c06c 22904->22906 22905->22859 22907 51c0b1 22906->22907 22908 51c076 22906->22908 22909 51c0a2 22907->22909 22924 522f64 29 API calls 22907->22924 22921 522f64 29 API calls 22908->22921 22909->22905 22911 51c10a RtlFreeHeap 22909->22911 22911->22905 22913 51c07d 22920 51c097 22913->22920 22922 5241e8 VirtualFree VirtualFree HeapFree 22913->22922 22914 51c0bd 22917 51c0e9 22914->22917 22925 524f6f VirtualFree HeapFree VirtualFree 22914->22925 22926 51c100 LeaveCriticalSection 22917->22926 22923 51c0a8 LeaveCriticalSection 22920->22923 22921->22913 22922->22920 22923->22909 22924->22914 22925->22917 22926->22909 23035 4b6d80 GetDeviceCaps MulDiv ReleaseDC 23038 10026bd6 25 API calls 22979 100270d8 28 API calls 22980 10026cd8 22 API calls 23041 10026de4 84 API calls 23045 100291f3 ??3@YAXPAX GetProcessHeap HeapFree 23046 100293f0 ??3@YAXPAX 22986 10026ef6 75 API calls 22987 10026cf7 43 API calls

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1043 100193c2-10019472 call 1002748d * 3 call 100294c0 1052 10019474-1001947a call 10027487 1043->1052 1053 1001947d-1001949e CopyFileA 1043->1053 1052->1053 1054 100194a0-100194b4 call 10027499 1053->1054 1055 100194b7-100194c3 1053->1055 1054->1055 1058 100194c5 1055->1058 1059 100194ca-100194e9 call 10028d40 1055->1059 1058->1059 1064 100194f4-10019504 1059->1064 1065 100194eb-100194f1 call 10027487 1059->1065 1067 10019506 1064->1067 1068 1001950b-10019525 call 10028000 1064->1068 1065->1064 1067->1068 1072 1001952b-10019539 1068->1072 1073 1001956e-10019586 call 1000241a 1068->1073 1074 10019540-1001955f call 10028d40 1072->1074 1075 1001953b 1072->1075 1080 10019588 1073->1080 1081 1001958d-100195b5 call 10028e50 call 10006495 1073->1081 1082 10019561-10019567 call 10027487 1074->1082 1083 1001956a-1001956b 1074->1083 1075->1074 1080->1081 1090 100195d6 1081->1090 1091 100195bb-100195c9 1081->1091 1082->1083 1083->1073 1093 100195db-100195dd 1090->1093 1091->1090 1092 100195cf-100195d4 1091->1092 1092->1093 1094 100195e3-1001960c RtlAllocateHeap 1093->1094 1095 10019832-10019840 1093->1095 1096 10019625-10019688 call 10007b67 call 1002748d call 10008edd call 10027487 1094->1096 1097 1001960e-10019622 call 10027499 1094->1097 1101 10019842-10019848 call 10027487 1095->1101 1102 1001984b-10019850 1095->1102 1127 10019689-10019691 1096->1127 1097->1096 1101->1102 1103 10019852-10019858 call 10027487 1102->1103 1104 1001985b-10019882 call 10027487 * 2 1102->1104 1103->1104 1120 10019895 1104->1120 1121 10019884 1104->1121 1124 1001989b-100198bb call 10027487 * 2 1120->1124 1125 100198bd-100198c9 call 10027487 1120->1125 1123 10019886-1001988a 1121->1123 1129 10019891-10019893 1123->1129 1130 1001988c-1001988f 1123->1130 1124->1125 1132 10019822-1001982d call 100094fb 1127->1132 1133 10019697-100196a5 call 10001000 1127->1133 1129->1120 1130->1123 1132->1095 1140 100196a7-100196bb call 10027499 1133->1140 1141 100196be-100196c2 1133->1141 1140->1141 1143 100196c4-100196d8 call 10027499 1141->1143 1144 100196db-10019736 call 10001b27 call 10001000 1141->1144 1143->1144 1152 10019738-1001974c call 10027499 1144->1152 1153 1001974f-10019753 1144->1153 1152->1153 1155 10019755-10019769 call 10027499 1153->1155 1156 1001976c-100197c7 call 10001b27 call 10001000 1153->1156 1155->1156 1164 100197e0-100197e4 1156->1164 1165 100197c9-100197dd call 10027499 1156->1165 1167 100197e6-100197fa call 10027499 1164->1167 1168 100197fd-1001981d call 10007b67 1164->1168 1165->1164 1167->1168 1168->1127
                                                  APIs
                                                    • Part of subcall function 100294C0: GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                    • Part of subcall function 100294C0: GetTickCount.KERNEL32 ref: 10029543
                                                    • Part of subcall function 100294C0: wsprintfA.USER32 ref: 10029558
                                                    • Part of subcall function 100294C0: PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 10019491
                                                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000000,00000001,?,?,?,00000000), ref: 100195FF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: FilePath$AllocateCopyCountExistsHeapTempTickwsprintf
                                                  • String ID: @
                                                  • API String ID: 183890193-2766056989
                                                  • Opcode ID: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                                                  • Instruction ID: 886d6a9a19e72094fdb0421fea6300c5803c3cbfa718e8e798f15b8255d4c358
                                                  • Opcode Fuzzy Hash: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                                                  • Instruction Fuzzy Hash: 26D142B5E40209ABEB01DFD4DCC2F9EB7B4FF18704F540065F604BA282E776A9548B66

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1323 1000710e-10007271 call 1002748d * 5 GetVersionExA 1334 10007273-10007287 call 10027499 1323->1334 1335 1000728a-100072e2 call 10027ca0 1323->1335 1334->1335 1340 100072f3-100072f9 1335->1340 1341 100072e4 1335->1341 1343 10007300-1000734b call 10027487 1340->1343 1344 100072fb 1340->1344 1342 100072e6-100072ea 1341->1342 1345 100072f1 1342->1345 1346 100072ec-100072ef 1342->1346 1349 10007351-100073f3 call 1002748d GetSystemInfo 1343->1349 1350 100077ad-100077b2 1343->1350 1344->1343 1345->1340 1346->1342 1355 100073f5-10007409 call 10027499 1349->1355 1356 1000740c-100074c4 call 10027487 RtlGetNtVersionNumbers 1349->1356 1352 100077b7-100077f1 call 10027487 * 4 1350->1352 1355->1356 1364 100074c6-100074da call 10027499 1356->1364 1365 100074dd-10007520 1356->1365 1364->1365 1368 10007552-10007556 1365->1368 1369 10007526-1000752a 1365->1369 1372 10007630-10007634 1368->1372 1373 1000755c-10007560 1368->1373 1375 10007530-10007534 1369->1375 1376 1000754d 1369->1376 1381 1000778a-1000778e 1372->1381 1382 1000763a-1000763e 1372->1382 1379 10007591-10007595 1373->1379 1380 10007566-10007574 1373->1380 1383 10007546 1375->1383 1384 1000753a-10007541 1375->1384 1378 100077a5-100077a8 1376->1378 1378->1352 1388 100075c6-100075ca 1379->1388 1389 1000759b-100075a9 1379->1389 1385 10007584 1380->1385 1386 1000757a-1000757f 1380->1386 1381->1378 1387 10007794-10007798 1381->1387 1390 10007650-10007654 1382->1390 1391 10007644-1000764b 1382->1391 1383->1376 1384->1376 1392 10007589-1000758c 1385->1392 1386->1392 1387->1378 1393 1000779e 1387->1393 1398 100075d0-100075de 1388->1398 1399 100075fb-100075ff 1388->1399 1394 100075b9 1389->1394 1395 100075af-100075b4 1389->1395 1396 10007785 1390->1396 1397 1000765a-1000766f 1390->1397 1391->1396 1401 1000762b 1392->1401 1393->1378 1402 100075be-100075c1 1394->1402 1395->1402 1396->1378 1410 10007671-10007685 call 10027499 1397->1410 1411 10007688-1000768f 1397->1411 1403 100075e4-100075e9 1398->1403 1404 100075ee 1398->1404 1400 10007605-10007613 1399->1400 1399->1401 1406 10007623 1400->1406 1407 10007619-1000761e 1400->1407 1401->1378 1402->1401 1405 100075f3-100075f6 1403->1405 1404->1405 1405->1401 1409 10007628 1406->1409 1407->1409 1409->1401 1410->1411 1413 100076a1-100076a5 1411->1413 1414 10007695-1000769c 1411->1414 1416 100076c7 1413->1416 1417 100076ab-100076ba 1413->1417 1414->1396 1419 100076cc-100076ce 1416->1419 1417->1416 1418 100076c0-100076c5 1417->1418 1418->1419 1420 100076e0-1000771d call 10028950 1419->1420 1421 100076d4-100076db 1419->1421 1424 10007723-1000772a 1420->1424 1425 1000772f-1000776c call 10028950 1420->1425 1421->1396 1424->1396 1428 10007772-10007779 1425->1428 1429 1000777e 1425->1429 1428->1396 1429->1396
                                                  APIs
                                                  • GetVersionExA.KERNEL32(00000000,10006DE0), ref: 10007264
                                                  • GetSystemInfo.KERNEL32(00000000,?), ref: 100073E6
                                                  • RtlGetNtVersionNumbers.NTDLL(?,?,00000000), ref: 100074B7
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Version$InfoNumbersSystem
                                                  • String ID:
                                                  • API String ID: 995872648-0
                                                  • Opcode ID: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                  • Instruction ID: 6910099e4755c4c9484fada616f008788a9246664730439cfdd765e490be93a4
                                                  • Opcode Fuzzy Hash: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                  • Instruction Fuzzy Hash: 001225B5E40246DBFB00CFA8DC81799B7F0FF19364F290065E909AB345E379A951CB62

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1430 10007fdd-1000801e call 100280c0 1433 10008020-10008026 call 10027487 1430->1433 1434 10008029-10008059 call 1000241a call 10007db8 1430->1434 1433->1434 1441 10008098-1000809d 1434->1441 1442 1000805f-10008063 1434->1442 1443 100080a8-100080ab 1441->1443 1444 1000809f-100080a5 call 10027487 1441->1444 1442->1441 1445 10008069-1000806c 1442->1445 1444->1443 1448 10008075-1000807c 1445->1448 1449 10008095 1448->1449 1450 1000807e-10008092 call 10027499 1448->1450 1449->1441 1450->1449
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID: `+Fw
                                                  • API String ID: 3535843008-1178111234
                                                  • Opcode ID: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                  • Instruction ID: f7734d6dfd281f4cec539f69a8a4743609fe5589cfe20e3980177d77de103c32
                                                  • Opcode Fuzzy Hash: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                  • Instruction Fuzzy Hash: 92112EB5D40308BBEB50DFE0DC86B9DBBB8EF05340F108069E6447A281D7B66B588B91

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1453 10018ad3-10018b21 call 10018eea * 2 HeapCreate 1459 10018b23-10018b37 call 10027499 1453->1459 1460 10018b3a-10018b5e HeapCreate 1453->1460 1459->1460 1461 10018b60-10018b74 call 10027499 1460->1461 1462 10018b77-10018b8e call 10001000 1460->1462 1461->1462 1469 10018b90-10018ba4 call 10027499 1462->1469 1470 10018ba7-10018bc8 call 1000188f 1462->1470 1469->1470 1475 10018bd3-10018be4 call 1000b61e 1470->1475 1476 10018bca-10018bd0 call 10027487 1470->1476 1481 10018be6-10018bec call 10027487 1475->1481 1482 10018bef-10018c09 call 10001000 1475->1482 1476->1475 1481->1482 1487 10018c22-10018c43 call 1000188f 1482->1487 1488 10018c0b-10018c1f call 10027499 1482->1488 1493 10018c45-10018c4b call 10027487 1487->1493 1494 10018c4e-10018c5f call 1000b61e 1487->1494 1488->1487 1493->1494 1499 10018c61-10018c67 call 10027487 1494->1499 1500 10018c6a-10018c84 call 10001000 1494->1500 1499->1500 1505 10018c86-10018c9a call 10027499 1500->1505 1506 10018c9d-10018cbe call 1000188f 1500->1506 1505->1506 1511 10018cc0-10018cc6 call 10027487 1506->1511 1512 10018cc9-10018cda call 1000b61e 1506->1512 1511->1512 1517 10018ce5-10018cff call 10001000 1512->1517 1518 10018cdc-10018ce2 call 10027487 1512->1518 1523 10018d01-10018d15 call 10027499 1517->1523 1524 10018d18-10018d39 call 1000188f 1517->1524 1518->1517 1523->1524 1529 10018d44-10018d55 call 1000b61e 1524->1529 1530 10018d3b-10018d41 call 10027487 1524->1530 1535 10018d60-10018d7a call 10001000 1529->1535 1536 10018d57-10018d5d call 10027487 1529->1536 1530->1529 1541 10018d93-10018db4 call 1000188f 1535->1541 1542 10018d7c-10018d90 call 10027499 1535->1542 1536->1535 1547 10018db6-10018dbc call 10027487 1541->1547 1548 10018dbf-10018dd0 call 1000b61e 1541->1548 1542->1541 1547->1548 1553 10018dd2-10018dd8 call 10027487 1548->1553 1554 10018ddb-10018e4b call 10006453 call 1000710e call 10018f34 call 100191e3 call 10019edc call 1000ff10 call 100114f9 1548->1554 1553->1554 1571 10018e56-10018ea3 call 10019edc call 1000ff10 call 100114f9 1554->1571 1572 10018e4d-10018e53 call 10027487 1554->1572 1581 10018ea5-10018eab call 10027487 1571->1581 1582 10018eae-10018ec2 call 10019f4c 1571->1582 1572->1571 1581->1582 1586 10018ec7-10018ee9 call 1001a236 1582->1586
                                                  APIs
                                                    • Part of subcall function 10018EEA: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                  • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 10018B14
                                                  • HeapCreate.KERNEL32(00040000,00000000,00000000), ref: 10018B51
                                                    • Part of subcall function 1000FF10: RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Create$Heap$ComputeCrc32Mutex
                                                  • String ID:
                                                  • API String ID: 3311811139-0
                                                  • Opcode ID: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                  • Instruction ID: 66fc46a93c8d8d126791b072413d70454ec7258938680aadaad6e332e46fbde2
                                                  • Opcode Fuzzy Hash: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                  • Instruction Fuzzy Hash: B8B10CB5E00309ABEB10EFE4DCC2B9E77B8FB14340F504465E618EB246E775AB448B52
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(1002D511,00000000), ref: 1001A1FA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlocked
                                                  • String ID:
                                                  • API String ID: 367298776-0
                                                  • Opcode ID: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                  • Instruction ID: 8b03ad6f155dc1ffa3c952e4c0ec4cfc85cd69f7d418c3f1b48ca094e25b3ce2
                                                  • Opcode Fuzzy Hash: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                  • Instruction Fuzzy Hash: EF012975D04319A7DB00EFD49C82F9E77B9EB05340F404066E50466151D775DB949B92
                                                  APIs
                                                  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: CreateMutex
                                                  • String ID:
                                                  • API String ID: 1964310414-0
                                                  • Opcode ID: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                  • Instruction ID: b5123a5caac3b4bfff5d25017b882f5dc189a7960400f6af0356bf2a3b5a090f
                                                  • Opcode Fuzzy Hash: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                  • Instruction Fuzzy Hash: 49E01270E95308F7E120AA505D03B29B635D70AB11F609055BE083E1C1D5B19A156696

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 884 4accc0-4acce5 885 4acceb-4accf6 884->885 886 4acd83-4acd92 884->886 887 4accf8-4acd02 885->887 888 4acd05-4acd08 885->888 889 4acd98-4acda8 886->889 890 4ad03f-4ad050 886->890 887->888 891 4acd0a-4acd1b call 51b4b8 888->891 892 4acd1d 888->892 893 4acdaa-4acdb4 call 51b4b8 889->893 894 4acdb9-4acdd6 call 4995c0 889->894 895 4acd1f-4acd31 GetProcAddress 891->895 892->895 893->894 905 4aceef 894->905 906 4acddc-4acdef call 51c4d0 894->906 899 4acd33-4acd61 call 4b6440 call 4ad090 call 52c8d4 895->899 900 4acd66-4acd80 call 4acca0 895->900 899->900 908 4acef4-4acf02 LoadLibraryA 905->908 919 4aceba-4acec1 LoadLibraryA 906->919 920 4acdf5-4ace06 906->920 912 4acf3f-4acf48 908->912 913 4acf04-4acf12 GetProcAddress 908->913 912->908 921 4acf4a-4acf55 912->921 916 4acf2a-4acf34 913->916 917 4acf14-4acf1f 913->917 916->921 923 4acf36-4acf3d FreeLibrary 916->923 917->916 922 4acf21-4acf27 917->922 919->921 929 4acec7-4aced5 GetProcAddress 919->929 925 4ace08-4ace26 call 52cb1d LoadLibraryA call 52c8d4 920->925 926 4ace30-4ace7d call 52cb1d * 2 LoadLibraryA call 52c8d4 * 2 920->926 927 4acf5b-4acf5d 921->927 928 4ad01c-4ad01e 921->928 922->916 923->912 925->929 952 4ace2c 925->952 926->929 963 4ace7f-4ace90 926->963 931 4acf5f-4acf60 FreeLibrary 927->931 932 4acf66-4acf75 call 4995c0 927->932 934 4ad020-4ad02b 928->934 935 4ad036-4ad03c 928->935 929->921 936 4aced7-4acee2 929->936 931->932 947 4acfca-4ad019 call 4b6440 call 4ad090 call 52c8d4 932->947 948 4acf77-4acfc7 call 4b6440 call 4ad090 call 52c8d4 932->948 934->935 941 4ad02d-4ad033 934->941 935->890 936->921 937 4acee4-4aceed 936->937 937->921 941->935 952->926 966 4aceb2-4aceb4 963->966 967 4ace92-4acead call 52cb1d LoadLibraryA call 52c8d4 963->967 966->929 970 4aceb6 966->970 967->966 970->919
                                                  APIs
                                                  • GetProcAddress.KERNEL32(00000000,007A79FC), ref: 004ACD27
                                                  • LoadLibraryA.KERNEL32(?,?,007B80F8), ref: 004ACE17
                                                  • LoadLibraryA.KERNEL32(?,?), ref: 004ACE5D
                                                  • LoadLibraryA.KERNEL32(?,?,007B8000,00000001), ref: 004ACEA5
                                                  • LoadLibraryA.KERNEL32(00000001), ref: 004ACEBB
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 004ACECD
                                                  • FreeLibrary.KERNEL32(00000000), ref: 004ACF60
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: Library$Load$AddressProc$Free
                                                  • String ID: |zy
                                                  • API String ID: 3120990465-1587744962
                                                  • Opcode ID: 9b8fc7a4a075637a961fd014b40cd6da0828c324ad9ad26fd3e9bf88ab6b33f2
                                                  • Instruction ID: 062bb0e54c7d9c1eaa9a0d998430f1a60a67647b7abcf222d920c93b2b298ce9
                                                  • Opcode Fuzzy Hash: 9b8fc7a4a075637a961fd014b40cd6da0828c324ad9ad26fd3e9bf88ab6b33f2
                                                  • Instruction Fuzzy Hash: 1BA1E571604702AFD714DF68D881BABB7A4FFA6314F044A2EF81597381D738E905CB96

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 973 536409-536426 EnterCriticalSection 974 536435-53643a 973->974 975 536428-53642f 973->975 977 536457-536460 974->977 978 53643c-53643f 974->978 975->974 976 5364ee-5364f1 975->976 979 5364f3-5364f6 976->979 980 5364f9-53651a LeaveCriticalSection 976->980 982 536462-536473 GlobalAlloc 977->982 983 536475-536491 GlobalHandle GlobalUnlock GlobalReAlloc 977->983 981 536442-536445 978->981 979->980 984 536447-53644d 981->984 985 53644f-536451 981->985 986 536497-5364a3 982->986 983->986 984->981 984->985 985->976 985->977 987 5364c0-5364ed GlobalLock call 51e150 986->987 988 5364a5-5364bb GlobalHandle GlobalLock LeaveCriticalSection call 52a924 986->988 987->976 988->987
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(007E6BD8,007E6BAC,00000000,?,007E6BBC,007E6BBC,005367A4,?,00000000,005361F7,00535AE6,00536213,00531617,005328BF,?,00000000), ref: 00536418
                                                  • GlobalAlloc.KERNEL32(00002002,00000000,?,?,007E6BBC,007E6BBC,005367A4,?,00000000,005361F7,00535AE6,00536213,00531617,005328BF,?,00000000), ref: 0053646D
                                                  • GlobalHandle.KERNEL32(009DC998), ref: 00536476
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0053647F
                                                  • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00536491
                                                  • GlobalHandle.KERNEL32(009DC998), ref: 005364A8
                                                  • GlobalLock.KERNEL32(00000000), ref: 005364AF
                                                  • LeaveCriticalSection.KERNEL32(0051A909,?,?,007E6BBC,007E6BBC,005367A4,?,00000000,005361F7,00535AE6,00536213,00531617,005328BF,?,00000000), ref: 005364B5
                                                  • GlobalLock.KERNEL32(00000000), ref: 005364C4
                                                  • LeaveCriticalSection.KERNEL32(?), ref: 0053650D
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                  • String ID:
                                                  • API String ID: 2667261700-0
                                                  • Opcode ID: 63fad3f132bf26efb72d39567dfa04d14275eabd59b3a2e8270ee58155730058
                                                  • Instruction ID: 813fc0938114706683b4966c6056f1d0ce4ab11df8034fd0e132a758308a5a0e
                                                  • Opcode Fuzzy Hash: 63fad3f132bf26efb72d39567dfa04d14275eabd59b3a2e8270ee58155730058
                                                  • Instruction Fuzzy Hash: D5317475600305AFDB259F68EC89A2ABBF9FF84300F00492DF856C3761E771E8588B21

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 992 53709c-537105 call 5361e8 GetModuleFileNameA call 51c7f7 call 5371b9 999 537107-537114 call 51ef7c 992->999 1000 53711a-53711d 992->1000 999->1000 1002 537151-537163 1000->1002 1003 53711f-537130 call 53219a 1000->1003 1006 537186-53718d 1002->1006 1007 537165-537185 lstrcpyA call 51ef7c 1002->1007 1010 537135-537137 1003->1010 1008 5371b4-5371b8 1006->1008 1009 53718f-5371ae lstrcatA call 51ef7c 1006->1009 1007->1006 1009->1008 1014 537142 1010->1014 1015 537139-537140 1010->1015 1017 537148-53714e call 51ef7c 1014->1017 1015->1017 1017->1002
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 005370CD
                                                    • Part of subcall function 005371B9: lstrlenA.KERNEL32(00000104,00000000,?,005370FD), ref: 005371F0
                                                  • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0053716E
                                                  • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0053719B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: FileModuleNamelstrcatlstrcpylstrlen
                                                  • String ID: .HLP$.INI
                                                  • API String ID: 2421895198-3011182340
                                                  • Opcode ID: a4d06a7bac7cc6fda34b5e99f33207e8f5a8a1a8a0cc29b185e5dc38a4b6dd51
                                                  • Instruction ID: e21baaa892e7adcb7c9e64bd44f2f3cea0972943c681b03900931415b9a229f3
                                                  • Opcode Fuzzy Hash: a4d06a7bac7cc6fda34b5e99f33207e8f5a8a1a8a0cc29b185e5dc38a4b6dd51
                                                  • Instruction Fuzzy Hash: 893170B6904719AFDB21EB74D885BC6BBFCBB08300F10496AE599D3151EB70A9C4CB60

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1020 100294c0-100294cf 1021 100294d1-100294e3 GetTempPathA 1020->1021 1022 100294eb-10029511 1020->1022 1023 10029513-1002952c 1021->1023 1024 100294e5-100294e9 1021->1024 1022->1023 1025 10029531-1002953d 1023->1025 1026 1002952e 1023->1026 1024->1023 1027 10029543-10029569 GetTickCount wsprintfA PathFileExistsA 1025->1027 1026->1025 1027->1027 1028 1002956b-100295b3 call 10027bb0 1027->1028
                                                  APIs
                                                  • GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                  • GetTickCount.KERNEL32 ref: 10029543
                                                  • wsprintfA.USER32 ref: 10029558
                                                  • PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Path$CountExistsFileTempTickwsprintf
                                                  • String ID: %s%x.tmp
                                                  • API String ID: 3843276195-78920241
                                                  • Opcode ID: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                  • Instruction ID: 19c0f5fbbc49b21063d5a4c1e69b6cb6cd736cc94922c53957f775166a9e82b6
                                                  • Opcode Fuzzy Hash: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                  • Instruction Fuzzy Hash: 9521F6352046144FE329D638AC526EB77D5FBC4360F948A2DF9AA831C0DF74DD058791

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1031 10027bb0-10027bb7 1032 10027bc4-10027bd7 RtlAllocateHeap 1031->1032 1033 10027bb9-10027bbf GetProcessHeap 1031->1033 1034 10027bf5-10027bf8 1032->1034 1035 10027bd9-10027bf2 MessageBoxA call 10027b10 1032->1035 1033->1032 1035->1034
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                  • RtlAllocateHeap.NTDLL(009D0000,00000008,?,?,10028674), ref: 10027BCD
                                                  • MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocateMessageProcess
                                                  • String ID: error
                                                  • API String ID: 2992861138-1574812785
                                                  • Opcode ID: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                  • Instruction ID: 89e5899bf0a8eaacd33e9d23978464e8beef4f738102cb453b69e42e0a268b90
                                                  • Opcode Fuzzy Hash: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                  • Instruction Fuzzy Hash: 4DE0DF71A01A31ABE322EB64BC88F4B7698EF05B41F910526F608E2240EF20AC019791

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1038 10028d40-10028d62 CreateFileA 1039 10028d64-10028da8 GetFileSize call 10027bb0 ReadFile CloseHandle 1038->1039 1040 10028da9-10028daa 1038->1040 1039->1040
                                                  APIs
                                                  • CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000,00000000,100149DF,00000001,00000000,00000000,80000004,00000000,00000000,00000000), ref: 10028D55
                                                  • GetFileSize.KERNEL32(00000000,?,1002C201,00000268,?,00000000,00000000,00000000,00000000), ref: 10028D6C
                                                    • Part of subcall function 10027BB0: GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                    • Part of subcall function 10027BB0: RtlAllocateHeap.NTDLL(009D0000,00000008,?,?,10028674), ref: 10027BCD
                                                    • Part of subcall function 10027BB0: MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                  • ReadFile.KERNEL32(00000000,00000008,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D98
                                                  • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D9F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: File$Heap$AllocateCloseCreateHandleMessageProcessReadSize
                                                  • String ID:
                                                  • API String ID: 749537981-0
                                                  • Opcode ID: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                  • Instruction ID: 3e7a6e3e6917c5c906f0044d82f650070526e8034b550c75b50b94cd4b2286ca
                                                  • Opcode Fuzzy Hash: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                  • Instruction Fuzzy Hash: 31F044762003107BE3218B64DCC9F9B77ACEB84B51F204A1DF616961D0E670A5458761

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1308 531627-531630 call 5361e8 1311 531632-53165d call 535fb6 GetCurrentThreadId SetWindowsHookExA call 536805 1308->1311 1312 531685 1308->1312 1316 531662-531668 1311->1316 1317 531675-531684 call 536770 1316->1317 1318 53166a-53166f call 5361e8 1316->1318 1317->1312 1318->1317
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 0053163A
                                                  • SetWindowsHookExA.USER32(000000FF,VcH,00000000,00000000), ref: 0053164A
                                                    • Part of subcall function 00536805: __EH_prolog.LIBCMT ref: 0053680A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: CurrentH_prologHookThreadWindows
                                                  • String ID: VcH
                                                  • API String ID: 2183259885-2144458766
                                                  • Opcode ID: e79a605dff223cbcdf09945f7e442b3bb6a7466dcee96778ff42f9b2bc9c6e6c
                                                  • Instruction ID: 3e65eec3cb34cc788a29d143ddb58f0a9e9c687b6a8744adff5aa7bd115b2aae
                                                  • Opcode Fuzzy Hash: e79a605dff223cbcdf09945f7e442b3bb6a7466dcee96778ff42f9b2bc9c6e6c
                                                  • Instruction Fuzzy Hash: DAF0E571941601BBCB203BB0AC1EB157FA1BF54710F054B5CF162971E2DEA4D88487A6

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1591 537039-537064 SetErrorMode * 2 call 5361e8 * 2 1596 537066-537080 call 53709c 1591->1596 1597 537085-53708f call 5361e8 1591->1597 1596->1597 1601 537091 call 531627 1597->1601 1602 537096-537099 1597->1602 1601->1602
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000000,00000000,005328DE,00000000,00000000,00000000,00000000,?,00000000,?,0052A1A3,00000000,00000000,00000000,00000000,0051A909), ref: 00537042
                                                  • SetErrorMode.KERNEL32(00000000,?,00000000,?,0052A1A3,00000000,00000000,00000000,00000000,0051A909,00000000), ref: 00537049
                                                    • Part of subcall function 0053709C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 005370CD
                                                    • Part of subcall function 0053709C: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0053716E
                                                    • Part of subcall function 0053709C: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0053719B
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
                                                  • String ID:
                                                  • API String ID: 3389432936-0
                                                  • Opcode ID: 956d53f38330488f065d30974b99f1c4f72edec217a848a2504a31b725332146
                                                  • Instruction ID: fe2ca7675843451ea13d27fdcdcc082f8995c17f0eab8ca4b69eba8f976f2432
                                                  • Opcode Fuzzy Hash: 956d53f38330488f065d30974b99f1c4f72edec217a848a2504a31b725332146
                                                  • Instruction Fuzzy Hash: 9AF037B49182169FC724AF64D849A0D7FE8BF89710F05848EF4449B3A2CBB0D840CFA6

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1604 5208a8-5208c6 HeapCreate 1605 5208c8-5208d5 call 520760 1604->1605 1606 5208fe-520900 1604->1606 1609 5208d7-5208e2 call 524175 1605->1609 1610 5208e4-5208e7 1605->1610 1616 5208ee-5208f0 1609->1616 1611 520901-520904 1610->1611 1612 5208e9 call 524cbc 1610->1612 1612->1616 1616->1611 1617 5208f2-5208f8 HeapDestroy 1616->1617 1617->1606
                                                  APIs
                                                  • HeapCreate.KERNEL32(00000000,00001000,00000000,0051A887,00000001), ref: 005208B9
                                                    • Part of subcall function 00520760: GetVersionExA.KERNEL32 ref: 0052077F
                                                  • HeapDestroy.KERNEL32 ref: 005208F8
                                                    • Part of subcall function 00524175: HeapAlloc.KERNEL32(00000000,00000140,005208E1,000003F8), ref: 00524182
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocCreateDestroyVersion
                                                  • String ID:
                                                  • API String ID: 2507506473-0
                                                  • Opcode ID: cb66110ecd5eb9cbd426de7e103b2dd05c584e9bd6cfc8b24b48d2d42d5bdadf
                                                  • Instruction ID: bed1fdf768c2c4e0dfe41baf6b29779dc4f25bd053bc7d9aed64584b578380fc
                                                  • Opcode Fuzzy Hash: cb66110ecd5eb9cbd426de7e103b2dd05c584e9bd6cfc8b24b48d2d42d5bdadf
                                                  • Instruction Fuzzy Hash: D7F065715573116AEB201730BC4A72B3EA1BF55741F105826F401CD1E7EBA488C0E952

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1618 10027c40-10027c4b 1619 10027c86-10027c87 1618->1619 1620 10027c4d-10027c54 1618->1620 1621 10027c56 call 10027ae0 1620->1621 1622 10027c5b-10027c61 1620->1622 1621->1622 1624 10027c63-10027c69 1622->1624 1625 10027c6b-10027c76 IsBadReadPtr 1622->1625 1624->1619 1624->1625 1625->1619 1626 10027c78-10027c80 RtlFreeHeap 1625->1626 1626->1619
                                                  APIs
                                                  • IsBadReadPtr.KERNEL32(00000000,00000008), ref: 10027C6E
                                                  • RtlFreeHeap.NTDLL(009D0000,00000000,00000000), ref: 10027C80
                                                    • Part of subcall function 10027AE0: GetModuleHandleA.KERNEL32(10000000,10027CB6,?,?,00000000,10013438,00000004,1002D4C1,00000000,00000000,?,00000014,00000000,00000000), ref: 10027AEA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: FreeHandleHeapModuleRead
                                                  • String ID:
                                                  • API String ID: 627478288-0
                                                  • Opcode ID: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                  • Instruction ID: 59851536013e0aac3578df5bad16e171669d5e3b00cd7f1de4e20f90094f5fd3
                                                  • Opcode Fuzzy Hash: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                  • Instruction Fuzzy Hash: 46E0ED71A0153297EB21FB34ADC4A4B769CFB417C0BB1402AF548B3151D330AC818BA2
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0051C24C
                                                    • Part of subcall function 00522F64: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0051D07C,00000009,00000000,00000000,00000001,005206F1,00000001,00000074,?,?,00000000,00000001), ref: 00522FA1
                                                    • Part of subcall function 00522F64: EnterCriticalSection.KERNEL32(?,?,?,0051D07C,00000009,00000000,00000000,00000001,005206F1,00000001,00000074,?,?,00000000,00000001), ref: 00522FBC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$AllocateEnterHeapInitialize
                                                  • String ID:
                                                  • API String ID: 1616793339-0
                                                  • Opcode ID: f2907e7fae55aad9e2f709c5ab16aec0863515ec819aa300f5bcc5e006e62c84
                                                  • Instruction ID: 31585fd87cf4dc93c39ff74e637209de665e1406c5fbbf9897b477b6c4bc3e25
                                                  • Opcode Fuzzy Hash: f2907e7fae55aad9e2f709c5ab16aec0863515ec819aa300f5bcc5e006e62c84
                                                  • Instruction Fuzzy Hash: DA21F136AC0205BBEB10EBA8EC46BDABFA4FB05720F148515F421EB2C1C375A981CA54
                                                  APIs
                                                  • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,0051D07C,00000009,00000000,00000000,00000001,005206F1,00000001,00000074), ref: 0051C112
                                                    • Part of subcall function 00522F64: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0051D07C,00000009,00000000,00000000,00000001,005206F1,00000001,00000074,?,?,00000000,00000001), ref: 00522FA1
                                                    • Part of subcall function 00522F64: EnterCriticalSection.KERNEL32(?,?,?,0051D07C,00000009,00000000,00000000,00000001,005206F1,00000001,00000074,?,?,00000000,00000001), ref: 00522FBC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFreeHeapInitialize
                                                  • String ID:
                                                  • API String ID: 641406236-0
                                                  • Opcode ID: ce4a3c4107f8df890894bc58c5020cc0faeba580b3b78b47bf21ff04b4aeb018
                                                  • Instruction ID: 968929e109b4ac6041bbdb302962c38155afe5b072a7de18c653fd3514ecb3e4
                                                  • Opcode Fuzzy Hash: ce4a3c4107f8df890894bc58c5020cc0faeba580b3b78b47bf21ff04b4aeb018
                                                  • Instruction Fuzzy Hash: 5521F672881219FBEF20ABA4DC0ABDE7F78FF49720F144115F415B61C1D7799980CAA5
                                                  APIs
                                                  • LdrInitializeThunk.NTDLL(-0000007F), ref: 10004BAD
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                  • Instruction ID: 7f13cb2829284cec5adb7bd0b88e9c5a5f53f04c1fb2448feb0c9f08ba257be5
                                                  • Opcode Fuzzy Hash: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                  • Instruction Fuzzy Hash: 0111C4B1600645DBFB20DF18C894B5973A5EB413D9F128336E806CB2E8CB78DD85C789
                                                  APIs
                                                  • LoadStringA.USER32(?,?,?,?), ref: 005321B1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: LoadString
                                                  • String ID:
                                                  • API String ID: 2948472770-0
                                                  • Opcode ID: 67abd69595a5292a3436135e47ed7df00919b46b721d9093e9e745172f900b9b
                                                  • Instruction ID: 32b298f7ecad5192aefefcbd7c9d8c1a199a31cdf63463159fd1cf315d35339d
                                                  • Opcode Fuzzy Hash: 67abd69595a5292a3436135e47ed7df00919b46b721d9093e9e745172f900b9b
                                                  • Instruction Fuzzy Hash: 6ED09E76519362ABCA519F619808D4BBFB4BFA5350F058C4DF59493212C360D458D661
                                                  APIs
                                                  • DeleteFileA.KERNEL32(00000000,10015A7E,00000001,10014425,00000000,80000004), ref: 10028E55
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                  • Instruction ID: ffbd99c73049c44a809e906c9e813abd6042298cab9f2baa300a0a2bd65e465f
                                                  • Opcode Fuzzy Hash: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                  • Instruction Fuzzy Hash: 5EA00275904611EBDE11DBA4C9DC84B7BACAB84341B108844F155C2130C634D451CB21
                                                  APIs
                                                  • UnmapViewOfFile.KERNEL32(00000000,00000000,00000000,?,00000018,00000000,00000000,00000000,00000000,00000000,00000018,00000000,00000000,00000000,00000000,00000000), ref: 100226B0
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: FileUnmapView
                                                  • String ID:
                                                  • API String ID: 2564024751-0
                                                  • Opcode ID: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                  • Instruction ID: aca3888e1ced534dfb8bff30dc6f5772290e13aa398f14ea119e8b9ebb5f1563
                                                  • Opcode Fuzzy Hash: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                  • Instruction Fuzzy Hash: CED1AF75D40209FBEF219FE0EC46BDDBAB1EB09714F608115F6203A2E0C7B62A549F59
                                                  APIs
                                                  • GetDC.USER32(00000000), ref: 1001A976
                                                  • SelectObject.GDI32(00000000,00000000), ref: 1001A9E8
                                                  • SelectObject.GDI32(00000000,00000000), ref: 1001ABA2
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 1001ABFD
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ObjectSelect$Release
                                                  • String ID:
                                                  • API String ID: 3581861777-0
                                                  • Opcode ID: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                  • Instruction ID: 0a28f281d22c81f76b667070ee8f4b39c3514b9b46e69f88ae8cd14bf3a1b365
                                                  • Opcode Fuzzy Hash: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                  • Instruction Fuzzy Hash: 2B9116B0D40309EBDF01EF81DC86BAEBBB1EB0A715F005015F6187A290D3B69691CF96
                                                  APIs
                                                  • GetWindow.USER32(?,00000005), ref: 1001A773
                                                  • IsWindowVisible.USER32(00000000), ref: 1001A7AC
                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 1001A7E9
                                                  • GetWindow.USER32(00000000,00000002), ref: 1001A872
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Window$ProcessThreadVisible
                                                  • String ID:
                                                  • API String ID: 569392824-0
                                                  • Opcode ID: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                  • Instruction ID: 356be4359fdaef5b37944779847d5b641f80ef076249e3ad3302764c89b6051f
                                                  • Opcode Fuzzy Hash: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                  • Instruction Fuzzy Hash: 284105B4D40219EBEB40EF90DC87BAEFBB0FB06711F105065E5097E190E7B19A90CB96
                                                  APIs
                                                  • ReleaseMutex.KERNEL32(?,?,10026B6B), ref: 100141AB
                                                  • NtClose.NTDLL(?), ref: 100141D7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: CloseMutexRelease
                                                  • String ID: `+Fw
                                                  • API String ID: 2985832019-1178111234
                                                  • Opcode ID: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                  • Instruction ID: 38ac61447b851c898caa1bdb063a432cf123be9b48bf26603be34453f4d11833
                                                  • Opcode Fuzzy Hash: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                  • Instruction Fuzzy Hash: 69F08CB0E41308F7DA00AF50DC03B7DBA30EB16751F105021FA087E0A0DBB29A659A9A
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(?), ref: 10029652
                                                  • LoadLibraryA.KERNEL32(?), ref: 1002965F
                                                  • wsprintfA.USER32 ref: 10029676
                                                  • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002968C
                                                    • Part of subcall function 10027B10: ExitProcess.KERNEL32 ref: 10027B25
                                                  • atoi.MSVCRT(?), ref: 100296CB
                                                  • strchr.MSVCRT ref: 10029703
                                                  • GetProcAddress.KERNEL32(00000000,00000040), ref: 10029721
                                                  • wsprintfA.USER32 ref: 10029739
                                                  • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002974F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
                                                  • String ID: DLL ERROR
                                                  • API String ID: 3187504500-4092134112
                                                  • Opcode ID: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                  • Instruction ID: 2d8d4974cead62a1b0d3c1b872151993aa02a2f76add0cb6c4d459240c98e11b
                                                  • Opcode Fuzzy Hash: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                  • Instruction Fuzzy Hash: 7E3139B26003529BE310EF74AC94F9BB7D8EB85340F904929FB09D3241EB75E919C7A5
                                                  APIs
                                                  • ??2@YAPAXI@Z.MSVCRT(?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000001), ref: 10028E9E
                                                  • strrchr.MSVCRT ref: 10028EC7
                                                  • RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 10028EE0
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 10028F03
                                                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,80000004,00000000,00000000,00000000), ref: 10028F26
                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F34
                                                  • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F3E
                                                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000), ref: 10028F5B
                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F8A
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000), ref: 10028F97
                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F9E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
                                                  • String ID:
                                                  • API String ID: 1380196384-0
                                                  • Opcode ID: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                  • Instruction ID: 11253f6a850e8c32f07a3e9f8fa5c0c7ac66a22cffc6c79301f50e11ea2e9c0e
                                                  • Opcode Fuzzy Hash: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                  • Instruction Fuzzy Hash: 304126792003055BE344DA78EC45E2B77D9EFC2660F950A2DF915C3281EE75EE0983A2
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00520A62,?,Microsoft Visual C++ Runtime Library,00012010,?,00787CC4,?,00787D14,?,?,?,Runtime Error!Program: ), ref: 005280F7
                                                  • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0052810F
                                                  • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00528120
                                                  • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0052812D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad
                                                  • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                  • API String ID: 2238633743-4044615076
                                                  • Opcode ID: 792fe3b800cfd1443a716b6eee4d08c378bb0ea973cca34aaa25e0474ff16657
                                                  • Instruction ID: fe99866abb1f60ea638e2dbaed267f5ea370de2e9a9f38f636c557b9de20cb51
                                                  • Opcode Fuzzy Hash: 792fe3b800cfd1443a716b6eee4d08c378bb0ea973cca34aaa25e0474ff16657
                                                  • Instruction Fuzzy Hash: 6C01B171606361AFC711AFF5BCC092B3EFCBB5EB907048429B200C72A1DE788856DB21
                                                  APIs
                                                  • LCMapStringW.KERNEL32(00000000,00000100,00787F4C,00000001,00000000,00000000,7556E860,007EAE84,?,?,?,0051C5DD,?,?,?,00000000), ref: 00523EA6
                                                  • LCMapStringA.KERNEL32(00000000,00000100,00787F48,00000001,00000000,00000000,?,?,0051C5DD,?,?,?,00000000,00000001), ref: 00523EC2
                                                  • LCMapStringA.KERNEL32(?,?,?,0051C5DD,?,?,7556E860,007EAE84,?,?,?,0051C5DD,?,?,?,00000000), ref: 00523F0B
                                                  • MultiByteToWideChar.KERNEL32(?,007EAE85,?,0051C5DD,00000000,00000000,7556E860,007EAE84,?,?,?,0051C5DD,?,?,?,00000000), ref: 00523F43
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,?,0051C5DD,?,00000000,?,?,0051C5DD,?), ref: 00523F9B
                                                  • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0051C5DD,?), ref: 00523FB1
                                                  • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0051C5DD,?), ref: 00523FE4
                                                  • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0051C5DD,?), ref: 0052404C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: String$ByteCharMultiWide
                                                  • String ID:
                                                  • API String ID: 352835431-0
                                                  • Opcode ID: 03464a17a04155d51b456ad515cb3a384b07b8bc9ca4ed0a0d9d8de2cc7ea127
                                                  • Instruction ID: 14ae6475db63bf7133f17c353231425956f6ea6306cbdbdd5336ea38a537395f
                                                  • Opcode Fuzzy Hash: 03464a17a04155d51b456ad515cb3a384b07b8bc9ca4ed0a0d9d8de2cc7ea127
                                                  • Instruction Fuzzy Hash: 8C516E31900269BFDF228F95ED459EE7FB9FF89750F204119F911A61A0C3398E50EBA1
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 005209AB
                                                  • GetStdHandle.KERNEL32(000000F4,00787CC4,00000000,00000000,00000000,?), ref: 00520A81
                                                  • WriteFile.KERNEL32(00000000), ref: 00520A88
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: File$HandleModuleNameWrite
                                                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                  • API String ID: 3784150691-4022980321
                                                  • Opcode ID: a3152ee3b1d9b7dfe6a1655b44ec816b37a27feb7052b77dc335693d61efc21a
                                                  • Instruction ID: 215f61d17169500977cafc0756946f24c0dd8b64cf281f06843306d0a5c72fcd
                                                  • Opcode Fuzzy Hash: a3152ee3b1d9b7dfe6a1655b44ec816b37a27feb7052b77dc335693d61efc21a
                                                  • Instruction Fuzzy Hash: 8031C8B2A01229AFEF20E760EC4AFAA7B7CBF96300F500555F445D60D2E674DA85CB61
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: %I64d$%lf
                                                  • API String ID: 0-1545097854
                                                  • Opcode ID: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                  • Instruction ID: a68653634a99df22c50c27c61c92b13d05d716d03379e836d9a088690611f418
                                                  • Opcode Fuzzy Hash: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                  • Instruction Fuzzy Hash: 0F516C7A5052424BD738D524BC85AEF73C4EBC0310FE08A2EFA59D21D1DE79DE458392
                                                  APIs
                                                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0051A8BF), ref: 00520392
                                                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0051A8BF), ref: 005203A6
                                                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0051A8BF), ref: 005203D2
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0051A8BF), ref: 0052040A
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0051A8BF), ref: 0052042C
                                                  • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0051A8BF), ref: 00520445
                                                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0051A8BF), ref: 00520458
                                                  • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00520496
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                  • String ID:
                                                  • API String ID: 1823725401-0
                                                  • Opcode ID: 9a7140e89ad0a5ea3e16bf55feeb579e3cf5f0ca86937572eec0c3b2da3b7e1b
                                                  • Instruction ID: fb79d8fa1e10e6d420733441b23eafa4e9304ae8f1472da1932fe1321c1c2cf7
                                                  • Opcode Fuzzy Hash: 9a7140e89ad0a5ea3e16bf55feeb579e3cf5f0ca86937572eec0c3b2da3b7e1b
                                                  • Instruction Fuzzy Hash: 1B31E9725062756F9F207F747CC483B7EACFE9A3587155929F685C31C3E6219C4092E1
                                                  APIs
                                                  • GetStringTypeW.KERNEL32(00000001,00787F4C,00000001,?,7556E860,007EAE84,?,?,0051C5DD,?,?,?,00000000,00000001), ref: 00527677
                                                  • GetStringTypeA.KERNEL32(00000000,00000001,00787F48,00000001,?,?,0051C5DD,?,?,?,00000000,00000001), ref: 00527691
                                                  • GetStringTypeA.KERNEL32(?,?,?,?,0051C5DD,7556E860,007EAE84,?,?,0051C5DD,?,?,?,00000000,00000001), ref: 005276C5
                                                  • MultiByteToWideChar.KERNEL32(?,007EAE85,?,?,00000000,00000000,7556E860,007EAE84,?,?,0051C5DD,?,?,?,00000000,00000001), ref: 005276FD
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0051C5DD,?), ref: 00527753
                                                  • GetStringTypeW.KERNEL32(?,?,00000000,0051C5DD,?,?,?,?,?,?,0051C5DD,?), ref: 00527765
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: StringType$ByteCharMultiWide
                                                  • String ID:
                                                  • API String ID: 3852931651-0
                                                  • Opcode ID: 36155b4ef131cccbe7d270390a2c51143a2deb1624e81bb878efece7493046cb
                                                  • Instruction ID: 597070c923135ded471687ec2f2f42941fe6199ac06a8cd849b2699ab23ac12b
                                                  • Opcode Fuzzy Hash: 36155b4ef131cccbe7d270390a2c51143a2deb1624e81bb878efece7493046cb
                                                  • Instruction Fuzzy Hash: 03415772604269AFCF209F99ED86DEA3FB9FF1A750F104825F901A6290C3359951DBA0
                                                  APIs
                                                  • TlsGetValue.KERNEL32(007E6BBC,007E6BAC,00000000,?,007E6BBC,?,005367E0,007E6BAC,00000000,?,00000000,005361F7,00535AE6,00536213,00531617,005328BF), ref: 00536583
                                                  • EnterCriticalSection.KERNEL32(007E6BD8,00000010,?,007E6BBC,?,005367E0,007E6BAC,00000000,?,00000000,005361F7,00535AE6,00536213,00531617,005328BF), ref: 005365D2
                                                  • LeaveCriticalSection.KERNEL32(007E6BD8,00000000,?,007E6BBC,?,005367E0,007E6BAC,00000000,?,00000000,005361F7,00535AE6,00536213,00531617,005328BF), ref: 005365E5
                                                  • LocalAlloc.KERNEL32(00000000,00000004,?,007E6BBC,?,005367E0,007E6BAC,00000000,?,00000000,005361F7,00535AE6,00536213,00531617,005328BF), ref: 005365FB
                                                  • LocalReAlloc.KERNEL32(?,00000004,00000002,?,007E6BBC,?,005367E0,007E6BAC,00000000,?,00000000,005361F7,00535AE6,00536213,00531617,005328BF), ref: 0053660D
                                                  • TlsSetValue.KERNEL32(007E6BBC,00000000), ref: 00536649
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: AllocCriticalLocalSectionValue$EnterLeave
                                                  • String ID:
                                                  • API String ID: 4117633390-0
                                                  • Opcode ID: 61805443c8a8351442137a9e57ac4b1c3be5a60a2bf153fc7916f80144d1d86d
                                                  • Instruction ID: 55b3d0f08750edec2ebc7dc7861caa6c1fcd96b1acc8a37fa5d869030241e0c2
                                                  • Opcode Fuzzy Hash: 61805443c8a8351442137a9e57ac4b1c3be5a60a2bf153fc7916f80144d1d86d
                                                  • Instruction Fuzzy Hash: 35314975100606BFDB24DF55D89AE66BBF8FB85350F00C92DF41687650EB70E919CB60
                                                  APIs
                                                  • GetVersionExA.KERNEL32 ref: 0052077F
                                                  • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 005207B4
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00520814
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentFileModuleNameVariableVersion
                                                  • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                  • API String ID: 1385375860-4131005785
                                                  • Opcode ID: 440fda4537c046cfba2bea620696646bd6015c4b57b438a01dae16c211dc6bbb
                                                  • Instruction ID: 38aebf5d356e5894bbc6bf709ec86e70be0d15cc57989b4e950530980520069d
                                                  • Opcode Fuzzy Hash: 440fda4537c046cfba2bea620696646bd6015c4b57b438a01dae16c211dc6bbb
                                                  • Instruction Fuzzy Hash: 55311172843268ADFB359770BC95AEA3F68BF13304F1824D5E085D61C3E2209EC6CB51
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dac79381d562fb290ef3fbe6a523eefb4d95a778f5d928d8176a74eaa0473d9e
                                                  • Instruction ID: 5e82fb5a3109f1ce10c0b3b49d9e5c7c6d445eea0027053399547625f7ede302
                                                  • Opcode Fuzzy Hash: dac79381d562fb290ef3fbe6a523eefb4d95a778f5d928d8176a74eaa0473d9e
                                                  • Instruction Fuzzy Hash: 2EC1A6729042169FC714DF65D88197BB7E8EFA6308F04492EF85697301E738ED06CBA6
                                                  APIs
                                                  • GetStartupInfoA.KERNEL32(?), ref: 00520507
                                                  • GetFileType.KERNEL32(?,?,00000000), ref: 005205B2
                                                  • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00520615
                                                  • GetFileType.KERNEL32(00000000,?,00000000), ref: 00520623
                                                  • SetHandleCount.KERNEL32 ref: 0052065A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: FileHandleType$CountInfoStartup
                                                  • String ID:
                                                  • API String ID: 1710529072-0
                                                  • Opcode ID: 49c5755bbbd1fe718969dd2f4583fd18a80e01cda9d8f67e3f9765a0dde9514e
                                                  • Instruction ID: 1c29c3505451ad036d74a85143f1a6853d5efbc8c2edbe24c989332a4b615159
                                                  • Opcode Fuzzy Hash: 49c5755bbbd1fe718969dd2f4583fd18a80e01cda9d8f67e3f9765a0dde9514e
                                                  • Instruction Fuzzy Hash: 335149716022618FCB20CB28E8887697FE0FF57324F259A68D496CB2E2D734EC05CB51
                                                  APIs
                                                  • GetLastError.KERNEL32(00000103,7FFFFFFF,0051CBD2,0051F4E7,00000000,?,?,00000000,00000001), ref: 005206CE
                                                  • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 005206DC
                                                  • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00520728
                                                    • Part of subcall function 0051CFC6: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,005206F1,00000001,00000074,?,?,00000000,00000001), ref: 0051D0BC
                                                  • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00520700
                                                  • GetCurrentThreadId.KERNEL32 ref: 00520711
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                  • String ID:
                                                  • API String ID: 2020098873-0
                                                  • Opcode ID: 974f7ae0e67cc05f8cce2190a4064026d72505ed4f72b4a836827af777de2bfc
                                                  • Instruction ID: 3dc7a79f620f1944263cadcde3bd7598e021e209c1ffff6266cc758edc579e4b
                                                  • Opcode Fuzzy Hash: 974f7ae0e67cc05f8cce2190a4064026d72505ed4f72b4a836827af777de2bfc
                                                  • Instruction Fuzzy Hash: 0DF02B366022225FD7312B30BC0DA5A7F31FF82771B144515F942953E1CF3098819A71
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(007E6D70,?,00000000,?,?,00536826,00000010,?,00000000,?,?,?,0053620D,00536270,00535AE6,00536213), ref: 005374F0
                                                  • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00536826,00000010,?,00000000,?,?,?,0053620D,00536270,00535AE6,00536213), ref: 00537502
                                                  • LeaveCriticalSection.KERNEL32(007E6D70,?,00000000,?,?,00536826,00000010,?,00000000,?,?,?,0053620D,00536270,00535AE6,00536213), ref: 0053750B
                                                  • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00536826,00000010,?,00000000,?,?,?,0053620D,00536270,00535AE6,00536213,00531617), ref: 0053751D
                                                    • Part of subcall function 00537422: GetVersion.KERNEL32(?,005374C5,?,00536826,00000010,?,00000000,?,?,?,0053620D,00536270,00535AE6,00536213,00531617,005328BF), ref: 00537435
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$Enter$InitializeLeaveVersion
                                                  • String ID: pm~
                                                  • API String ID: 1193629340-3428776083
                                                  • Opcode ID: ae40e1ac29874b1952d2015ba520e3995dc4929c57f54031180fce7413e0053e
                                                  • Instruction ID: 6ed2df4f9d0587cbb123f2fb6e156edad95f128ec528c9fcab73caf2ed5af041
                                                  • Opcode Fuzzy Hash: ae40e1ac29874b1952d2015ba520e3995dc4929c57f54031180fce7413e0053e
                                                  • Instruction Fuzzy Hash: 0BF0817560224EDFCF20DFA4FCC4856BB7DFB2C362B404426E60582011D734F459CA64
                                                  APIs
                                                  • wsprintfA.USER32 ref: 10027B78
                                                  • MessageBoxA.USER32(00000000,?,error,00000010), ref: 10027B8F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: Messagewsprintf
                                                  • String ID: error$program internal error number is %d. %s
                                                  • API String ID: 300413163-3752934751
                                                  • Opcode ID: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                  • Instruction ID: e1549d366f44cd83cf328da68a9c66535f66093051f9031b2c984319b6cde580
                                                  • Opcode Fuzzy Hash: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                  • Instruction Fuzzy Hash: B9E092755002006BE344EBA4ECAAFAA33A8E708701FC0085EF34981180EBB1A9548616
                                                  APIs
                                                  • HeapAlloc.KERNEL32(00000000,00002020,007A91D0,007A91D0,?,?,00525188,00000000,00000010,00000000,00000009,00000009,?,0051C211,00000010,00000000), ref: 00524CDD
                                                  • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00525188,00000000,00000010,00000000,00000009,00000009,?,0051C211,00000010,00000000), ref: 00524D01
                                                  • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00525188,00000000,00000010,00000000,00000009,00000009,?,0051C211,00000010,00000000), ref: 00524D1B
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00525188,00000000,00000010,00000000,00000009,00000009,?,0051C211,00000010,00000000,?), ref: 00524DDC
                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,00525188,00000000,00000010,00000000,00000009,00000009,?,0051C211,00000010,00000000,?,00000000), ref: 00524DF3
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual$FreeHeap
                                                  • String ID:
                                                  • API String ID: 714016831-0
                                                  • Opcode ID: e9afc61a88abe7da6a5d40d5ca0f396006408d0014514c19532cb76d0c12edbd
                                                  • Instruction ID: a1c36fb61aee3d953d60584b69bada95ba15593656a5d3dcb543d205850372e7
                                                  • Opcode Fuzzy Hash: e9afc61a88abe7da6a5d40d5ca0f396006408d0014514c19532cb76d0c12edbd
                                                  • Instruction Fuzzy Hash: C73100716417169BD3308F28FC49B21BBB4FB86B54F108A39E6559B2D0E778A810CF58
                                                  APIs
                                                  • malloc.MSVCRT ref: 10029FB3
                                                  • LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,?,?,000009DC,00000000,?,10028774,00000001,?), ref: 10029FE7
                                                  • free.MSVCRT ref: 10029FF6
                                                  • free.MSVCRT ref: 1002A014
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: free$Stringmalloc
                                                  • String ID:
                                                  • API String ID: 3576809655-0
                                                  • Opcode ID: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                  • Instruction ID: fe1f6c240ce4a888f48c4ee73cb5f64fbc811d22bf13276520b53d25543597c8
                                                  • Opcode Fuzzy Hash: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                  • Instruction Fuzzy Hash: 2311D27A2042042BD348DA78AC45E7BB3D9DBC5265FA0463EF226D22C1EE71ED094365
                                                  APIs
                                                  • GetVersion.KERNEL32 ref: 0051A84F
                                                    • Part of subcall function 005208A8: HeapCreate.KERNEL32(00000000,00001000,00000000,0051A887,00000001), ref: 005208B9
                                                    • Part of subcall function 005208A8: HeapDestroy.KERNEL32 ref: 005208F8
                                                  • GetCommandLineA.KERNEL32 ref: 0051A8AF
                                                  • GetStartupInfoA.KERNEL32(?), ref: 0051A8DA
                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0051A8FD
                                                    • Part of subcall function 0051A956: ExitProcess.KERNEL32 ref: 0051A973
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                  • String ID:
                                                  • API String ID: 2057626494-0
                                                  • Opcode ID: beafcfaabc616e5ab603c5abd7d47544d94231d53e3847d468593dd36544bc85
                                                  • Instruction ID: 0c5682f92a0ea5e7677c73f628dba2564fe3f00436a561b64aae1fa923127c79
                                                  • Opcode Fuzzy Hash: beafcfaabc616e5ab603c5abd7d47544d94231d53e3847d468593dd36544bc85
                                                  • Instruction Fuzzy Hash: 6D21B9718413569FEB04ABB4EC4EAAD7F78FF95710F104429F5019B2D2DB388880C761
                                                  APIs
                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000020,00000000,00000000,00000000,80000005), ref: 10028DC8
                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9), ref: 10028E07
                                                  • CloseHandle.KERNEL32(00000000,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E1A
                                                  • CloseHandle.KERNEL32(00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E35
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2719972737.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_10000000_S4.jbxd
                                                  Similarity
                                                  • API ID: CloseFileHandle$CreateWrite
                                                  • String ID:
                                                  • API String ID: 3602564925-0
                                                  • Opcode ID: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                  • Instruction ID: f6076fed0b983a52129b8cb4bf2c1cdfe7202da6017c1e667b93af5c44e6f27f
                                                  • Opcode Fuzzy Hash: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                  • Instruction Fuzzy Hash: 39118E36201301ABE710DF18ECC5F6BB7E8FB84714F550919FA6497290D370E90E8B66
                                                  APIs
                                                  • GetCPInfo.KERNEL32(?,00000000), ref: 0051FA33
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: Info
                                                  • String ID: $
                                                  • API String ID: 1807457897-3032137957
                                                  • Opcode ID: c1caa2e242e4cb58746d9e6031f43cb60e3ca87dc595769c353ba130a0442ae4
                                                  • Instruction ID: efacea20c57f77716f9e8e54182df7b98714f7195512478bc6f9794aaff18cd6
                                                  • Opcode Fuzzy Hash: c1caa2e242e4cb58746d9e6031f43cb60e3ca87dc595769c353ba130a0442ae4
                                                  • Instruction Fuzzy Hash: DA4136710092982AEB11D754DDA9FEB7FA8BB09700F1405F5D14ACB192C26D9A84DB63
                                                  APIs
                                                    • Part of subcall function 0051D76C: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0051A909,00000000), ref: 0051D79A
                                                  • __EH_prolog.LIBCMT ref: 0052A95B
                                                  • lstrcpynA.KERNEL32(?,?,00000104), ref: 0052AA48
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: ExceptionH_prologRaiselstrcpyn
                                                  • String ID: 0P~
                                                  • API String ID: 2915105959-3593223661
                                                  • Opcode ID: 9795e0877e213908e8a0eb8f6b1e4559d576fc43bf7096911f0e37b8e102f47a
                                                  • Instruction ID: 11964ec038b6d1fb56b5de4ffc8f657645d1f660792a87a7d179d72f8cc7fbd3
                                                  • Opcode Fuzzy Hash: 9795e0877e213908e8a0eb8f6b1e4559d576fc43bf7096911f0e37b8e102f47a
                                                  • Instruction Fuzzy Hash: E6417BB0A40705EFD721DF68D986B9BBFE4FF45304F00482EE59A97281C7B4A904CB61
                                                  APIs
                                                  • HeapReAlloc.KERNEL32(00000000,?,00000000,00000000,005245E2,00000000,00000000,00000000,0051C1B3,00000000,00000000,?,00000000,00000000,00000000), ref: 00524842
                                                  • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,005245E2,00000000,00000000,00000000,0051C1B3,00000000,00000000,?,00000000,00000000,00000000), ref: 00524876
                                                  • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00524890
                                                  • HeapFree.KERNEL32(00000000,?), ref: 005248A7
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: AllocHeap$FreeVirtual
                                                  • String ID:
                                                  • API String ID: 3499195154-0
                                                  • Opcode ID: dd516e508d91aa269cf24b3ae62aa8ae18910340de6c1f01e9f5b6f077060419
                                                  • Instruction ID: 0b6877c9f9a57186a36386d47a43c38ecb020450bd322db7b19f9b31eb0cbabb
                                                  • Opcode Fuzzy Hash: dd516e508d91aa269cf24b3ae62aa8ae18910340de6c1f01e9f5b6f077060419
                                                  • Instruction Fuzzy Hash: 5911CE31201380AFC7218F28FCC6D22BBB6FB893247108A19F162CA1F0C3B5A841DF55
                                                  APIs
                                                  • InitializeCriticalSection.KERNEL32(?,0052066B,?,0051A899), ref: 00522F48
                                                  • InitializeCriticalSection.KERNEL32(?,0052066B,?,0051A899), ref: 00522F50
                                                  • InitializeCriticalSection.KERNEL32(?,0052066B,?,0051A899), ref: 00522F58
                                                  • InitializeCriticalSection.KERNEL32(?,0052066B,?,0051A899), ref: 00522F60
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2716954921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000005.00000002.2716935130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000679000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.000000000076B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717054995.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717314910.0000000000794000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717334249.0000000000796000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717358074.0000000000798000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717382404.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717402915.00000000007A2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717421501.00000000007A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717445436.00000000007A9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717466881.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000007F5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000005.00000002.2717587053.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_400000_S4.jbxd
                                                  Similarity
                                                  • API ID: CriticalInitializeSection
                                                  • String ID:
                                                  • API String ID: 32694325-0
                                                  • Opcode ID: 760ed907b01beb358075eb1b4274c23e65fadbc6c71c3147581ec862651e528b
                                                  • Instruction ID: b962c39b7ccfd5f666ee45d125adeabced1e133feb6e9daf6046f5bdffd986ae
                                                  • Opcode Fuzzy Hash: 760ed907b01beb358075eb1b4274c23e65fadbc6c71c3147581ec862651e528b
                                                  • Instruction Fuzzy Hash: D3C00231805039EECAD16B55FD0584A3F77FB9A2657018063B104521309E651C10EFD6