Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
215.exe

Overview

General Information

Sample name:215.exe
Analysis ID:1559177
MD5:4d18783059031dea15c1ff32f60ea380
SHA1:b370235425ba172a351eb7bd9c3e711029103c62
SHA256:62dcd6e23be41d2f3d5a350d909240714781431b2d8dbffea6d31cd9b4d170d1
Tags:exeopendiruser-Joker
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Renames NTDLL to bypass HIPS
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables driver privileges
Enables security privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

  • System is w10x64
  • 215.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\215.exe" MD5: 4D18783059031DEA15C1FF32F60EA380)
  • 215.exe (PID: 7584 cmdline: "C:\Users\user\Desktop\215.exe" MD5: 4D18783059031DEA15C1FF32F60EA380)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: 215.exe PID: 7260JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    Process Memory Space: 215.exe PID: 7584JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\215.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\215.exe, ProcessId: 7260, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: C:\Users\user\Desktop\QQWER.dllReversingLabs: Detection: 73%
      Source: 215.exeReversingLabs: Detection: 47%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.3% probability
      Source: C:\Users\user\Desktop\QQWER.dllJoe Sandbox ML: detected
      Source: 215.exeJoe Sandbox ML: detected

      Compliance

      barindex
      Source: C:\Users\user\Desktop\215.exeUnpacked PE file: 0.2.215.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\215.exeUnpacked PE file: 4.2.215.exe.10000000.2.unpack
      Source: 215.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: Binary string: devco n.pdbo source: 215.exe
      Source: Binary string: wntdll.pdbUGP source: 215.exe, 00000000.00000002.2630715178.0000000002BD1000.00000040.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000003.1373948172.0000000002A2A000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000003.1526583142.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2630835922.0000000002C8D000.00000040.00000020.00020000.00000000.sdmp, 64c0e8.tmp.4.dr, 648508.tmp.0.dr
      Source: Binary string: wntdll.pdb source: 215.exe, 00000000.00000002.2630715178.0000000002BD1000.00000040.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000003.1373948172.0000000002A2A000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000003.1526583142.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2630835922.0000000002C8D000.00000040.00000020.00020000.00000000.sdmp, 64c0e8.tmp.4.dr, 648508.tmp.0.dr
      Source: Binary string: DrvInDM U.pdbe source: 215.exe
      Source: Binary string: wuser32.pdb source: 215.exe, 00000000.00000003.1374898577.0000000002A2C000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2631007926.0000000002D83000.00000040.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000003.1527587500.0000000002ADF000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2631166829.0000000002E4C000.00000040.00000020.00020000.00000000.sdmp, 6485a4.tmp.0.dr, 64c146.tmp.4.dr
      Source: Binary string: devc@on.pdb source: 215.exe
      Source: Binary string: wuser32.pdbUGP source: 215.exe, 00000000.00000003.1374898577.0000000002A2C000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2631007926.0000000002D83000.00000040.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000003.1527587500.0000000002ADF000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2631166829.0000000002E4C000.00000040.00000020.00020000.00000000.sdmp, 6485a4.tmp.0.dr, 64c146.tmp.4.dr
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A199
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018AD3
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018AD3
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018EEA
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_100193C2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_100193C2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10007FDD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10018801
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10017804
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10011772
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10013C18
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10011C1A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A031
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10024C38
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006051
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006051
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001385A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10002461
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000F472
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1001847E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10022882
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10025484
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10025484
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_10006495
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006C96
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10014096
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10014096
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FCB0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_100198CC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100188E1
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A4E7
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1000210D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1000210D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_1000B90D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10003116
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017D41
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017D41
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FD4D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10001D56
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10025977
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10010199
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001419C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001419C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008DA3
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100111A7
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007DB8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp0_2_1001D1C4
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001D1C4
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_100259D9
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100189E6
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000FDEA
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100101FB
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10014203
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000B61E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_1001221F
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_1001221F
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A236
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1001363D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001363D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008E40
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10011653
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10011653
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010255
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010255
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007E55
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_10007E55
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FA6F
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10022A80
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10011E89
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A6C7
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_10017ECA
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010AD6
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010AD6
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10008EDD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001BADE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100246E4
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100236FF
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100236FF
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FF10
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008B27
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001BB29
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10015B34
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000833D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp0_2_10012B40
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1000634E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000B353
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10026356
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp0_2_1001DB5C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_1001DB5C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017B68
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10011772
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10024781
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10024781
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1000A7A2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100137A3
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000F7AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008BC4
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10013FC8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007BCA
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10005FDA
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100253E7
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000B3F0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1000710E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1000710E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp4_2_1000710E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1000710E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A199
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10018AD3
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10018AD3
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10018EEA
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_100193C2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp4_2_100193C2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10007FDD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10018801
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_10017804
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10011772
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10013C18
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10011C1A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A031
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10024C38
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1001AC51
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1001AC51
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1001AC51
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10006051
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10006051
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001385A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10002461
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1000F472
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_1001847E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10022882
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp4_2_10025484
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10025484
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_10006495
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10006C96
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10014096
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10014096
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_100024AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_100024AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_100024AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_100024AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000FCB0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_100198CC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_100188E1
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001A4E7
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1000210D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1000210D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp4_2_1000B90D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10003116
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10017D41
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10017D41
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000FD4D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_10001D56
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10025977
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10010199
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_1001419C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_1001419C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10008DA3
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_100111A7
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10007DB8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_100151BD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_100151BD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_100151BD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp4_2_1001D1C4
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1001D1C4
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_100259D9
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_100189E6
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1000FDEA
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_100101FB
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_10014203
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1000B61E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_1001221F
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_1001221F
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001A236
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1001363D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001363D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10008E40
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_10011653
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_10011653
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10010255
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10010255
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10007E55
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp4_2_10007E55
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000FA6F
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10022A80
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10011E89
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001A6C7
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_10017ECA
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10010AD6
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10010AD6
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp4_2_10008EDD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_1001BADE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_100246E4
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_100236FF
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_100236FF
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000FF10
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10008B27
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_1001BB29
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_10015B34
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000833D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp4_2_10012B40
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_1000634E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000B353
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_10026356
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp4_2_1001DB5C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_1001DB5C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10017B68
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10011772
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp4_2_10024781
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10024781
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp4_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_1000A7A2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_100137A3
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000F7AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10008BC4
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10013FC8
      Source: Joe Sandbox ViewIP Address: 42.193.100.57 42.193.100.57
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Date: Wed, 20 Nov 2024 08:21:59 GMTContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Date: Wed, 20 Nov 2024 08:22:15 GMTContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69
      Source: 215.exeString found in binary or memory: http://.httpsset-cookie:;;
      Source: 215.exeString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/
      Source: 215.exe, 00000004.00000002.2629366792.0000000000AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
      Source: 215.exe, 00000000.00000002.2629312386.0000000000A03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt-
      Source: 215.exe, 00000004.00000002.2629366792.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt._cache_
      Source: 215.exe, 00000004.00000002.2629366792.0000000000B1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtJ
      Source: 215.exeString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt
      Source: 215.exe, 00000000.00000002.2629312386.0000000000A03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt1
      Source: 215.exe, 00000004.00000002.2629366792.0000000000B1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt3
      Source: 215.exe, 00000004.00000002.2629366792.0000000000B1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtAs
      Source: 215.exe, 00000000.00000002.2629312386.00000000009D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtS
      Source: 215.exe, 00000004.00000002.2629366792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtST
      Source: 215.exe, 00000004.00000002.2629366792.0000000000B3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtgrams
      Source: 215.exe, 00000004.00000002.2629366792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtm
      Source: 215.exe, 00000000.00000002.2629312386.0000000000A03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtn
      Source: 215.exeString found in binary or memory: http://ocsp.t
      Source: 215.exeString found in binary or memory: http://sf.symc
      Source: 215.exeString found in binary or memory: http://ts-ocsp.ws.s
      Source: 215.exeString found in binary or memory: http://ts-ocsp.ws.symantec.
      Source: 215.exeString found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
      Source: 215.exeString found in binary or memory: https://User-Agent:Mozilla/4.0
      Source: 215.exeString found in binary or memory: https://note.youdao.com/yws/public/note/03cb89fe74e7b4305099ed5dabde2135?sev=j1
      Source: 215.exeString found in binary or memory: https://ww(w.v
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,0_2_1001F2ED
      Source: 215.exe, 00000000.00000003.1374898577.0000000002A2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_2e29a65d-f
      Source: Yara matchFile source: Process Memory Space: 215.exe PID: 7260, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 215.exe PID: 7584, type: MEMORYSTR
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_10007FDD NtClose,0_2_10007FDD
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_1001419C ReleaseMutex,NtClose,0_2_1001419C
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_1001221F NtClose,0_2_1001221F
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_10007FDD NtClose,4_2_10007FDD
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_1001419C ReleaseMutex,NtClose,4_2_1001419C
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_1001221F NtClose,4_2_1001221F
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_004C60B00_2_004C60B0
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_100026280_2_10002628
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_100032EA0_2_100032EA
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_004C60B04_2_004C60B0
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_100026284_2_10002628
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_100032EA4_2_100032EA
      Source: C:\Users\user\Desktop\215.exeProcess token adjusted: Load DriverJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess token adjusted: SecurityJump to behavior
      Source: C:\Users\user\Desktop\215.exeCode function: String function: 10029640 appears 130 times
      Source: 648508.tmp.0.drStatic PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
      Source: 64c0e8.tmp.4.drStatic PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
      Source: 64c0e8.tmp.4.drStatic PE information: No import functions for PE file found
      Source: 648508.tmp.0.drStatic PE information: No import functions for PE file found
      Source: 215.exe, 00000000.00000003.1374898577.0000000002A2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 215.exe
      Source: 215.exe, 00000000.00000003.1373948172.0000000002B4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 215.exe
      Source: 215.exe, 00000000.00000002.2631007926.0000000002E2B000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 215.exe
      Source: 215.exe, 00000000.00000002.2630715178.0000000002CFE000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 215.exe
      Source: 215.exe, 00000004.00000003.1526583142.0000000002C01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 215.exe
      Source: 215.exe, 00000004.00000002.2630835922.0000000002DBA000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 215.exe
      Source: 215.exe, 00000004.00000003.1527587500.0000000002ADF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 215.exe
      Source: 215.exe, 00000004.00000002.2631166829.0000000002EF4000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 215.exe
      Source: 215.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: QQWER.dll.0.drStatic PE information: Section: .rsrc ZLIB complexity 1.0002780183550337
      Source: 648508.tmp.0.drBinary string: \Device\IPT[
      Source: classification engineClassification label: mal84.evad.winEXE@2/11@0/1
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_00415A0C GetDiskFreeSpaceExA,0_2_00415A0C
      Source: C:\Users\user\Desktop\215.exeFile created: C:\Users\user\Desktop\QQWER.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeMutant created: NULL
      Source: C:\Users\user\Desktop\215.exeFile created: C:\Users\user\AppData\Local\Temp\648508.tmpJump to behavior
      Source: 215.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\215.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: 215.exeReversingLabs: Detection: 47%
      Source: unknownProcess created: C:\Users\user\Desktop\215.exe "C:\Users\user\Desktop\215.exe"
      Source: unknownProcess created: C:\Users\user\Desktop\215.exe "C:\Users\user\Desktop\215.exe"
      Source: C:\Users\user\Desktop\215.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\215.exeWindow detected: Number of UI elements: 23
      Source: 215.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: 215.exeStatic file information: File size 5222400 > 1048576
      Source: 215.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x14f000
      Source: 215.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x286000
      Source: 215.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x10d000
      Source: Binary string: devco n.pdbo source: 215.exe
      Source: Binary string: wntdll.pdbUGP source: 215.exe, 00000000.00000002.2630715178.0000000002BD1000.00000040.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000003.1373948172.0000000002A2A000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000003.1526583142.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2630835922.0000000002C8D000.00000040.00000020.00020000.00000000.sdmp, 64c0e8.tmp.4.dr, 648508.tmp.0.dr
      Source: Binary string: wntdll.pdb source: 215.exe, 00000000.00000002.2630715178.0000000002BD1000.00000040.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000003.1373948172.0000000002A2A000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000003.1526583142.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2630835922.0000000002C8D000.00000040.00000020.00020000.00000000.sdmp, 64c0e8.tmp.4.dr, 648508.tmp.0.dr
      Source: Binary string: DrvInDM U.pdbe source: 215.exe
      Source: Binary string: wuser32.pdb source: 215.exe, 00000000.00000003.1374898577.0000000002A2C000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2631007926.0000000002D83000.00000040.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000003.1527587500.0000000002ADF000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2631166829.0000000002E4C000.00000040.00000020.00020000.00000000.sdmp, 6485a4.tmp.0.dr, 64c146.tmp.4.dr
      Source: Binary string: devc@on.pdb source: 215.exe
      Source: Binary string: wuser32.pdbUGP source: 215.exe, 00000000.00000003.1374898577.0000000002A2C000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2631007926.0000000002D83000.00000040.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000003.1527587500.0000000002ADF000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2631166829.0000000002E4C000.00000040.00000020.00020000.00000000.sdmp, 6485a4.tmp.0.dr, 64c146.tmp.4.dr

      Data Obfuscation

      barindex
      Source: C:\Users\user\Desktop\215.exeUnpacked PE file: 0.2.215.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\215.exeUnpacked PE file: 4.2.215.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_004C4020 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_004C4020
      Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
      Source: QQWER.dll.0.drStatic PE information: section name: .Upack
      Source: 648508.tmp.0.drStatic PE information: section name: RT
      Source: 648508.tmp.0.drStatic PE information: section name: .mrdata
      Source: 648508.tmp.0.drStatic PE information: section name: .00cfg
      Source: 6485a4.tmp.0.drStatic PE information: section name: .didat
      Source: 64c0e8.tmp.4.drStatic PE information: section name: RT
      Source: 64c0e8.tmp.4.drStatic PE information: section name: .mrdata
      Source: 64c0e8.tmp.4.drStatic PE information: section name: .00cfg
      Source: 64c146.tmp.4.drStatic PE information: section name: .didat
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_0052ECF0 push eax; ret 0_2_0052ED1E
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_00530F64 push eax; ret 0_2_00530F82
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_1002C7F8 push edi; ret 0_2_1002C7FC
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_0052ECF0 push eax; ret 4_2_0052ED1E
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_00530F64 push eax; ret 4_2_00530F82
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_1002C7F8 push edi; ret 4_2_1002C7FC
      Source: QQWER.dll.0.drStatic PE information: section name: .rsrc entropy: 7.999713933191419
      Source: 648508.tmp.0.drStatic PE information: section name: .text entropy: 6.844715065913507
      Source: 64c0e8.tmp.4.drStatic PE information: section name: .text entropy: 6.844715065913507
      Source: C:\Users\user\Desktop\215.exeFile created: C:\Users\user\AppData\Local\Temp\64c146.tmpJump to dropped file
      Source: C:\Users\user\Desktop\215.exeFile created: C:\Users\user\Desktop\QQWER.dllJump to dropped file
      Source: C:\Users\user\Desktop\215.exeFile created: C:\Users\user\AppData\Local\Temp\64c0e8.tmpJump to dropped file
      Source: C:\Users\user\Desktop\215.exeFile created: C:\Users\user\AppData\Local\Temp\6485a4.tmpJump to dropped file
      Source: C:\Users\user\Desktop\215.exeFile created: C:\Users\user\AppData\Local\Temp\648508.tmpJump to dropped file
      Source: C:\Users\user\Desktop\215.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Jump to behavior
      Source: C:\Users\user\Desktop\215.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Jump to behavior
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_004CBFC0 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,0_2_004CBFC0
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_004CBFC0 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,4_2_004CBFC0
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: C:\Users\user\Desktop\215.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-21399
      Source: C:\Users\user\Desktop\215.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\64c146.tmpJump to dropped file
      Source: C:\Users\user\Desktop\215.exeDropped PE file which has not been started: C:\Users\user\Desktop\QQWER.dllJump to dropped file
      Source: C:\Users\user\Desktop\215.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\64c0e8.tmpJump to dropped file
      Source: C:\Users\user\Desktop\215.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6485a4.tmpJump to dropped file
      Source: C:\Users\user\Desktop\215.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\648508.tmpJump to dropped file
      Source: C:\Users\user\Desktop\215.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\215.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_1000710E GetVersionExA,GetSystemInfo,RtlGetNtVersionNumbers,0_2_1000710E
      Source: 215.exe, 00000000.00000002.2629312386.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2629312386.000000000098E000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2629366792.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2629366792.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Users\user\Desktop\215.exeAPI call chain: ExitProcess graph end nodegraph_0-21513
      Source: C:\Users\user\Desktop\215.exeAPI call chain: ExitProcess graph end nodegraph_4-21512
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_10004B1B LdrInitializeThunk,0_2_10004B1B
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_004C4020 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_004C4020
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_1001A4C7 mov eax, dword ptr fs:[00000030h]0_2_1001A4C7
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_1000AE99 mov eax, dword ptr fs:[00000030h]0_2_1000AE99
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_1001A4C7 mov eax, dword ptr fs:[00000030h]4_2_1001A4C7
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_1000AE99 mov eax, dword ptr fs:[00000030h]4_2_1000AE99
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_10027BB0 GetProcessHeap,RtlAllocateHeap,MessageBoxA,0_2_10027BB0
      Source: C:\Users\user\Desktop\215.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess token adjusted: DebugJump to behavior
      Source: 215.exeBinary or memory string: @TaskbarCreatedShell_TrayWndTrayNotifyWndSysPagerToolbarWindow32@@
      Source: 215.exeBinary or memory string: Shell_TrayWnd
      Source: 215.exe, 00000000.00000003.1374898577.0000000002A2C000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2629312386.000000000098E000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2631007926.0000000002D83000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
      Source: 215.exe, 00000004.00000002.2629366792.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindowx
      Source: 215.exe, 00000004.00000002.2629366792.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow*
      Source: 215.exe, 00000000.00000003.1374898577.0000000002A2C000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2629312386.000000000098E000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2631007926.0000000002D83000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
      Source: 215.exe, 00000000.00000002.2629312386.000000000098E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindowk{
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_10019EDC cpuid 0_2_10019EDC
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_00533630 GetVersionExA,GetEnvironmentVariableA,GetModuleFileNameA,0_2_00533630
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
      Native API
      1
      Registry Run Keys / Startup Folder
      2
      Process Injection
      1
      Masquerading
      11
      Input Capture
      111
      Security Software Discovery
      Remote Services1
      Screen Capture
      1
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      LSASS Driver
      1
      Registry Run Keys / Startup Folder
      2
      Process Injection
      LSASS Memory1
      Process Discovery
      Remote Desktop Protocol11
      Input Capture
      3
      Ingress Tool Transfer
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading
      1
      LSASS Driver
      1
      Deobfuscate/Decode Files or Information
      Security Account Manager1
      Application Window Discovery
      SMB/Windows Admin Shares1
      Archive Collected Data
      2
      Non-Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      DLL Side-Loading
      4
      Obfuscated Files or Information
      NTDS15
      System Information Discovery
      Distributed Component Object ModelInput Capture12
      Application Layer Protocol
      Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
      Software Packing
      LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading
      Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      215.exe47%ReversingLabs
      215.exe100%Joe Sandbox ML
      SourceDetectionScannerLabelLink
      C:\Users\user\Desktop\QQWER.dll100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\648508.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\6485a4.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\64c0e8.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\64c146.tmp0%ReversingLabs
      C:\Users\user\Desktop\QQWER.dll73%ReversingLabsWin32.Infostealer.OnlineGames
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtm0%Avira URL Cloudsafe
      http://ts-ocsp.ws.s0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt-0%Avira URL Cloudsafe
      http://.httpsset-cookie:;;0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt._cache_0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtgrams0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtS0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtn0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt30%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt10%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtST0%Avira URL Cloudsafe
      http://ts-ocsp.ws.symantec.0%Avira URL Cloudsafe
      https://User-Agent:Mozilla/4.00%Avira URL Cloudsafe
      https://ww(w.v0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtAs0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt0%Avira URL Cloudsafe
      http://sf.symc0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtJ0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/0%Avira URL Cloudsafe
      NameIPActiveMaliciousAntivirus DetectionReputation
      s-part-0017.t-0009.t-msedge.net
      13.107.246.45
      truefalse
        high
        NameMaliciousAntivirus DetectionReputation
        http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtfalse
        • Avira URL Cloud: safe
        unknown
        NameSourceMaliciousAntivirus DetectionReputation
        http://www.eyuyan.com)DVarFileInfo$215.exefalse
          high
          http://ocsp.t215.exefalse
            high
            http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt._cache_215.exe, 00000004.00000002.2629366792.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://.httpsset-cookie:;;215.exefalse
            • Avira URL Cloud: safe
            unknown
            http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtm215.exe, 00000004.00000002.2629366792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtgrams215.exe, 00000004.00000002.2629366792.0000000000B3F000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://ts-ocsp.ws.s215.exefalse
            • Avira URL Cloud: safe
            unknown
            http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtn215.exe, 00000000.00000002.2629312386.0000000000A03000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            https://note.youdao.com/yws/public/note/03cb89fe74e7b4305099ed5dabde2135?sev=j1215.exefalse
              high
              http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt1215.exe, 00000000.00000002.2629312386.0000000000A03000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt-215.exe, 00000000.00000002.2629312386.0000000000A03000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt3215.exe, 00000004.00000002.2629366792.0000000000B1B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtS215.exe, 00000000.00000002.2629312386.00000000009D6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://ts-ocsp.ws.symantec.215.exefalse
              • Avira URL Cloud: safe
              unknown
              http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtST215.exe, 00000004.00000002.2629366792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://sf.symc215.exefalse
              • Avira URL Cloud: safe
              unknown
              http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtJ215.exe, 00000004.00000002.2629366792.0000000000B1B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://ww(w.v215.exefalse
              • Avira URL Cloud: safe
              unknown
              https://User-Agent:Mozilla/4.0215.exefalse
              • Avira URL Cloud: safe
              unknown
              http://42.193.100.57/%E5%AD%98%E6%A1%A3/215.exefalse
              • Avira URL Cloud: safe
              unknown
              http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtAs215.exe, 00000004.00000002.2629366792.0000000000B1B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              42.193.100.57
              unknownChina
              4249LILLY-ASUSfalse
              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1559177
              Start date and time:2024-11-20 09:20:48 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 5m 35s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:8
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:215.exe
              Detection:MAL
              Classification:mal84.evad.winEXE@2/11@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:Failed
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: 215.exe
              TimeTypeDescription
              08:21:51AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\user\Desktop\215.exe
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              42.193.100.57#U4fdd#U62a4#U795e1.exeGet hashmaliciousUnknownBrowse
              • 42.193.100.57/%E5%8D%83%E5%8D%83%E6%99%9A%E6%98%9F16.exe
              213.exeGet hashmaliciousUnknownBrowse
              • 42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
              211.exeGet hashmaliciousUnknownBrowse
              • 42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
              212.exeGet hashmaliciousUnknownBrowse
              • 42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
              214.exeGet hashmaliciousUnknownBrowse
              • 42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              s-part-0017.t-0009.t-msedge.net213.exeGet hashmaliciousUnknownBrowse
              • 13.107.246.45
              212.exeGet hashmaliciousUnknownBrowse
              • 13.107.246.45
              file.exeGet hashmaliciousLummaCBrowse
              • 13.107.246.45
              file.exeGet hashmaliciousStealcBrowse
              • 13.107.246.45
              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
              • 13.107.246.45
              file.exeGet hashmaliciousLummaCBrowse
              • 13.107.246.45
              PO-000041492.xlsGet hashmaliciousUnknownBrowse
              • 13.107.246.45
              Credit_DetailsCBS24312017915.xla.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.45
              Payment Advice.xlsGet hashmaliciousUnknownBrowse
              • 13.107.246.45
              Delivery_Notification_00116030.doc.jsGet hashmaliciousUnknownBrowse
              • 13.107.246.45
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              LILLY-ASUS#U4fdd#U62a4#U795e1.exeGet hashmaliciousUnknownBrowse
              • 42.193.100.57
              213.exeGet hashmaliciousUnknownBrowse
              • 42.193.100.57
              211.exeGet hashmaliciousUnknownBrowse
              • 42.193.100.57
              212.exeGet hashmaliciousUnknownBrowse
              • 42.193.100.57
              214.exeGet hashmaliciousUnknownBrowse
              • 42.193.100.57
              SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
              • 43.155.76.124
              arm7.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
              • 43.52.215.121
              arm.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
              • 43.152.251.74
              x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
              • 40.221.176.183
              https://trackwniw.top/iGet hashmaliciousUnknownBrowse
              • 43.130.33.71
              No context
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              C:\Users\user\AppData\Local\Temp\6485a4.tmp99.exeGet hashmaliciousUnknownBrowse
                211.exeGet hashmaliciousUnknownBrowse
                  212.exeGet hashmaliciousUnknownBrowse
                    214.exeGet hashmaliciousUnknownBrowse
                      SecuriteInfo.com.Win32.Evo-gen.19313.28597.exeGet hashmaliciousUnknownBrowse
                        file.exeGet hashmaliciousUnknownBrowse
                          file.exeGet hashmaliciousUnknownBrowse
                            file.exeGet hashmaliciousUnknownBrowse
                              FZ6oyLoqGM.exeGet hashmaliciousUnknownBrowse
                                Lisect_AVT_24003_G1A_54.exeGet hashmaliciousBdaejecBrowse
                                  C:\Users\user\AppData\Local\Temp\648508.tmp99.exeGet hashmaliciousUnknownBrowse
                                    211.exeGet hashmaliciousUnknownBrowse
                                      212.exeGet hashmaliciousUnknownBrowse
                                        214.exeGet hashmaliciousUnknownBrowse
                                          SecuriteInfo.com.Win32.Evo-gen.19313.28597.exeGet hashmaliciousUnknownBrowse
                                            file.exeGet hashmaliciousUnknownBrowse
                                              file.exeGet hashmaliciousUnknownBrowse
                                                file.exeGet hashmaliciousUnknownBrowse
                                                  BCNFNjvJNq.exeGet hashmaliciousADWIND, Lokibot, Ramnit, SalityBrowse
                                                    cnlg48.exeGet hashmaliciousUnknownBrowse
                                                      Process:C:\Users\user\Desktop\215.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1699896
                                                      Entropy (8bit):6.290547513916722
                                                      Encrypted:false
                                                      SSDEEP:24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
                                                      MD5:5564A98A4692BA8B2D25770FB834D5F6
                                                      SHA1:129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
                                                      SHA-256:28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
                                                      SHA-512:D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Joe Sandbox View:
                                                      • Filename: 99.exe, Detection: malicious, Browse
                                                      • Filename: 211.exe, Detection: malicious, Browse
                                                      • Filename: 212.exe, Detection: malicious, Browse
                                                      • Filename: 214.exe, Detection: malicious, Browse
                                                      • Filename: SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe, Detection: malicious, Browse
                                                      • Filename: file.exe, Detection: malicious, Browse
                                                      • Filename: file.exe, Detection: malicious, Browse
                                                      • Filename: file.exe, Detection: malicious, Browse
                                                      • Filename: BCNFNjvJNq.exe, Detection: malicious, Browse
                                                      • Filename: cnlg48.exe, Detection: malicious, Browse
                                                      Reputation:moderate, very likely benign file
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................
                                                      Process:C:\Users\user\Desktop\215.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1679648
                                                      Entropy (8bit):5.3288490918902225
                                                      Encrypted:false
                                                      SSDEEP:24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
                                                      MD5:2E8AB67DC55089DFBCBFA7710BD15B07
                                                      SHA1:159434853CE512029314C6B70070220D251A924A
                                                      SHA-256:2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
                                                      SHA-512:7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Joe Sandbox View:
                                                      • Filename: 99.exe, Detection: malicious, Browse
                                                      • Filename: 211.exe, Detection: malicious, Browse
                                                      • Filename: 212.exe, Detection: malicious, Browse
                                                      • Filename: 214.exe, Detection: malicious, Browse
                                                      • Filename: SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe, Detection: malicious, Browse
                                                      • Filename: file.exe, Detection: malicious, Browse
                                                      • Filename: file.exe, Detection: malicious, Browse
                                                      • Filename: file.exe, Detection: malicious, Browse
                                                      • Filename: FZ6oyLoqGM.exe, Detection: malicious, Browse
                                                      • Filename: Lisect_AVT_24003_G1A_54.exe, Detection: malicious, Browse
                                                      Reputation:moderate, very likely benign file
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................
                                                      Process:C:\Users\user\Desktop\215.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1699896
                                                      Entropy (8bit):6.290547513916722
                                                      Encrypted:false
                                                      SSDEEP:24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
                                                      MD5:5564A98A4692BA8B2D25770FB834D5F6
                                                      SHA1:129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
                                                      SHA-256:28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
                                                      SHA-512:D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Reputation:moderate, very likely benign file
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................
                                                      Process:C:\Users\user\Desktop\215.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1679648
                                                      Entropy (8bit):5.3288490918902225
                                                      Encrypted:false
                                                      SSDEEP:24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
                                                      MD5:2E8AB67DC55089DFBCBFA7710BD15B07
                                                      SHA1:159434853CE512029314C6B70070220D251A924A
                                                      SHA-256:2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
                                                      SHA-512:7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Reputation:moderate, very likely benign file
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................
                                                      Process:C:\Users\user\Desktop\215.exe
                                                      File Type:PC bitmap, Windows 3.x format, 88 x 30 x 24, image size 7920, cbSize 7974, bits offset 54
                                                      Category:dropped
                                                      Size (bytes):7974
                                                      Entropy (8bit):5.673356453027983
                                                      Encrypted:false
                                                      SSDEEP:192:Ff/ZR+G5hr4gwFy2EmU8fTDAa/AUdiwcWOWNnLV:FfbEzsxUdinWDh
                                                      MD5:7E50424DE95D765740BCE30899FA4E3B
                                                      SHA1:306B279E18EB8830960449758C025C0F13F7A484
                                                      SHA-256:1886332AA5F083560E14B3E7DAEF8BFBFA7BE16FBD93CC10CD84C11C87014AA6
                                                      SHA-512:4E9349366B4A16111B47E6E78D289DC22892BA7B2E5E5A8F46C808CA268FEEE1D7483A4E43F46686DB24E4C50C4BABBD2A8722D323A25C7656F31C45D186B5A3
                                                      Malicious:false
                                                      Preview:BM&.......6...(...X...................................P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1....................................................................................................................................................................................|..p.........................................................................~..~..}..}..}..{..{..{..{..z..y..y..x..x..w..w..w..v..u..u..u..t..t..s..s..r..q..q..q..q..p..o..o..n..n..m..m..l..k..k..j..j..i..i..h..h..h..h..g..f..f..e..e..o........................................................................~..~..~..}..}..{..{..{..z..z..z..y..x..x..w..w..w..
                                                      Process:C:\Users\user\Desktop\215.exe
                                                      File Type:PC bitmap, Windows 3.x format, 43 x 25 x 24, image size 3300, cbSize 3354, bits offset 54
                                                      Category:dropped
                                                      Size (bytes):3354
                                                      Entropy (8bit):2.989481212693407
                                                      Encrypted:false
                                                      SSDEEP:12:hqVRlllllllllLlll7lllllllllp9l+fs9WLtOlqTT9WLXLELc9WLccwlVLcEAAZ:pIsgTZMY
                                                      MD5:6391A0DCDD648730D0801673DAA5E9C9
                                                      SHA1:023E19E73F390D6C976A75E4804E356F8D4E2B79
                                                      SHA-256:8CBC9646B997839C056FA4C663B843971C084CDC044502753A543D83D35092C5
                                                      SHA-512:17C8C196F2D27928FA01E2A461E9F2400E1ACFE73B50A3B3B9A03C3117D2EEC346E9032CE35DA508C26BE561404142DD073D5F7E393729160830EE148C5F4536
                                                      Malicious:false
                                                      Preview:BM........6...(...+...................................%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%........%..%..%..%..%..%..%..%..%........%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..........................%..%.........................................%..%..%..%..%..%..%..%.....%..%..%..%..%..%......
                                                      Process:C:\Users\user\Desktop\215.exe
                                                      File Type:PC bitmap, Windows 3.x format, 122 x 40 x 24, image size 14720, cbSize 14774, bits offset 54
                                                      Category:dropped
                                                      Size (bytes):14774
                                                      Entropy (8bit):4.868699837953847
                                                      Encrypted:false
                                                      SSDEEP:384:fDinzsGO052UtTri2fzOJ3pzvdTzD8mZxEBxQ74w2jBfG79s6OY:riA/w1ObZSny4dRI9Hh
                                                      MD5:EE883808D176D23096A2D4F339C84368
                                                      SHA1:D901775EDE136567215ABE718023C1A62F46A0A6
                                                      SHA-256:3D28C7A863B6E937EBC72AD585F94359B6BC2FF8523173DB0FEEFBC803AB372B
                                                      SHA-512:F14CF6522847121246B7913FA1C800227EEEAFAE5F7AA44D2E45ED55EC50B2A729C109B222D0F2E3FECFB3B16031AEF742C286DA0393322A73C4B182C71033D3
                                                      Malicious:false
                                                      Preview:BM.9......6...(...z...(............9..............................................................................................................................~..~..~..~..}..}..}..}..|..|..{..{..{..{..z..z..z..z..y..y..x..y..x..x..w..x..w..w..v..v..v..v..u..u..t..t..t..t..s..s..s..s..r..r..q..r..q..q..p..q..p..p..o..o..o..o..n..n..m..n..m..m..l..l..l..l..k..k..j..k................................................................................................................~..~..}..}..}..}..|..|..|..|..{..{..z..{..z..z..y..z..y..y..x..x..x..x..w..w..v..v..v..v..u..u..u..u..t..t..s..t..s..s..r..s..r..r..q..q..q..q..p..p..o..p..o..o..n..n..n..n..m..m..l..m..l..l..k..l..k..k..j..j...............................................................................................................~..~..~..~..}..}..|..}..|..|..{..{..{..{..z..z..y..z.
                                                      Process:C:\Users\user\Desktop\215.exe
                                                      File Type:PC bitmap, Windows 3.x format, 124 x 21 x 24, image size 7812, cbSize 7866, bits offset 54
                                                      Category:dropped
                                                      Size (bytes):7866
                                                      Entropy (8bit):2.8370523003123043
                                                      Encrypted:false
                                                      SSDEEP:24:o4XlQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQP:T+QgQ2VQPQ/QNQmQTQGQKxQyQIHiw1
                                                      MD5:5D70530E3663B004B68425154CB9AFB9
                                                      SHA1:46CFADA3D2EDE8A3280598BD4E2EC89CE0C7D56F
                                                      SHA-256:0818DF2198DA1889321E82F769F3AA6B01F9CD773987354A8F5E0908379F45CE
                                                      SHA-512:824569EAB3FBB412708BB35CDF0A3630289008307A518E68253CFAAD379CFB830C56A2582D2FB071561BF2FB3ADB2535CEBA13319A3A096009357E152022119E
                                                      Malicious:false
                                                      Preview:BM........6...(...|...................................%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%
                                                      Process:C:\Users\user\Desktop\215.exe
                                                      File Type:PC bitmap, Windows 3.x format, 132 x 32 x 24, image size 12672, cbSize 12726, bits offset 54
                                                      Category:dropped
                                                      Size (bytes):12726
                                                      Entropy (8bit):5.79054775797227
                                                      Encrypted:false
                                                      SSDEEP:384:xcEOHiLY/s8/wo4C4tPzSrEEBN/LMzeW1:xcdHiLeF4Q4pSY+hLMzv
                                                      MD5:FA9FA099399E2ADF93BE1348C4AED087
                                                      SHA1:3FB710D8AD919AE6783E222DF46305E39FA81098
                                                      SHA-256:3749B52884564A500221E53DE5FCF24A2F6E3EDB4E58ADB13CF2B5F8F422BA7B
                                                      SHA-512:A6D378F8AD7EFAF4A3067D3F601AFAB53C83947DA29C9F6A21BAD21F287D2CAB093939BD017F32971EE6B3DA1EC82BE6D59234CB446A325A33C8AA5215200DD8
                                                      Malicious:false
                                                      Preview:BM.1......6...(....... ............1..................................................................................................................................................................................................................................................................................................~..~..}..}..|..|..{..|..{..{..z..z..y..y..x..x..x..w..w..w..................................................................................................................................................................................................................................................................................~..~..}..~..}..}..|..|..{..{..z..z..z..z..y..y..x..x..w..w....................................................................................................................................................
                                                      Process:C:\Users\user\Desktop\215.exe
                                                      File Type:PC bitmap, Windows 3.x format, 312 x 196 x 24, image size 183456, cbSize 183510, bits offset 54
                                                      Category:dropped
                                                      Size (bytes):183510
                                                      Entropy (8bit):5.556020063769881
                                                      Encrypted:false
                                                      SSDEEP:3072:6Sv2XACrsCmcuRGDpKiVarMsILpZTjDuD:rv2tNRdn5hpZvQ
                                                      MD5:1C4B3140D22A2921DC9E023E3E68963E
                                                      SHA1:0D4F280950E2221F30D40DF40A14C496FD5B9723
                                                      SHA-256:4F7D1D27980D902757136771413B5B9E681D7D5664259F8C0914DAEF986F1614
                                                      SHA-512:F0615BDA954AA84B871237F7BD64046BB99CAD7EE1CB43C28917B13EB5EC08120E659138C721A660D8B00567E00B79BB6C9384ED30E8EB522D84617177642037
                                                      Malicious:false
                                                      Preview:BM........6...(...8...................................Y,.]..[,.U(.Y+.Y*.V).V(.S&.W(.V(.V).Y*.[,.\-.U(.]..U(.W).W).X*.R%.X*.S'.X*.S&.S&.V).V(.T&.T'.V).T'.N#.X).X+.T&.S'.S&.S&.V(.V*.V(.U).R%.U(.P%.S'.S'.T'.U'.U).X*.X+.V).S'.T(.U(.X).b1.]..T'.P$.S&.T(.V+.Y,.Q%.R(.U).T(.R%.T(.V).P%.S'.S'.S&.U).U).V*.T'.R&.Q'.O$.T(.S(.N#.S'.S(.T'.S(.M#.S(.X,.Q'.P%.R'.N$.P'.O%.K".Q&.N%.R(.M$.M$.L#.L#.M#.R).K#.O&.Q'.N%.M#.N$.T'.O%.Q'.U).R(.R(.Q(.T+.U+.X..T+.T*.U+.W,.T+.S*.W-.R).U+.U+.U-.V-.R).S+.Q).T*.Q).T+.W,.P(.T+.U,.R).Q).Q*.Q).Q).T+.X..S*.Q*.N'.O(.Q).U-.T,.R*.S+.R*.R).Q*.P(.Q+.P'.S,.T-.R+.P,.P+.P,.M(.P(.R,.Q+.P*.Q).V..R,.T,.N).Q+.R+.T..L(.C&.<$.8 .:#.:#.<%.<#.6..@'.8!.5..5..:".8!.@'.;$.9#.:#.9!.>$.7 .;#.<$.;#.D).<#.6..;#.=$.;$.=$.8..:".;#.:!.8".9!.<#.<$.<#.<%.:#.;#.;".9!.<$.<$.:!.<$.;#.<#.:!.E).A(.>%.<$.:#.:".:#.>&.<$.<$.=%.=%.;$.C(.@&.?'.;$.=$.<".>%.8!.;#.9!.>%.<$.>&.>&.;$.=$.>$.<$.A'.?%.6..:".?%.:".:".<#.@&.:#.:#.=$.:".?$.:!.B'.>$.<#.>$.D'.9!.@%.@%.?&.=$.=$.=#.;".:".>#.@'.>%.>%.?&.?$.>%.>$.?$.c3.R%.W(.R
                                                      Process:C:\Users\user\Desktop\215.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):687517
                                                      Entropy (8bit):7.999653084247243
                                                      Encrypted:true
                                                      SSDEEP:12288:nAPtAe/2ByNkI6K8Pi7GMskNEkzJ0x1d2GpSI5EwLtwun3aPh:nEtAemv+hNZGTds9UtwgqPh
                                                      MD5:4B7109E2F77FF15219B81079DF8C12B2
                                                      SHA1:AB3BF417AF304B83CD49707E399BC06E1E10D519
                                                      SHA-256:BE7A0A59B36299F40D6AC2FC126ACFD6C8BBFF8C4F8D9D85267DF3E2E1E3AED3
                                                      SHA-512:770EBECF21AAD663BB27F7800AE476FF3B9EF444FF661916CB50E65AE4987DDE7413E4AE83FD152C47A296C13E41D4544AED3C780F0F5958BB605F57016537E7
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 73%
                                                      Preview:MZKERNEL32.DLL..LoadLibraryA....GetProcAddress..UpackByDwing@...PE..L..................!...9.`..........`X.......p......................................................................,[..q....[..............................H........................................................................................Upack..............................`....rsrc............{..................`........[...............Z...Z...Z...Z...Z.......Z...Z...X.......[.......Y......|...........u...............................*..T...h........Zx.)1Y"F..,...L..F.4."W|..5P......A...c]...J..X.;/.T..|...~.d.W..........(k.../.!.y..0Kol.Ty..N...yg....-.GI....@.c..g:...!.Oo..j..N.h6x..9)B.Iw.4Z}..g.CCN......X...:.`......!y.p.^=..;..!.......83..W..W...h.?$R.Q....$..+......... 6....3..i...<.Z.\...r.T....,.).s..~.V.......^].k.[....bQ....+Y.';C.._.R. fq......y..X.8t2.J.....4B...m.....A...a.8..F....51mt6e..Yec..A...q......:..)..l.O!.S..8.f..X....k.....!B..Z<.\.C....kc(...0..#.M}+@..X.g;P..r....x.
                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):6.337170104826467
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:215.exe
                                                      File size:5'222'400 bytes
                                                      MD5:4d18783059031dea15c1ff32f60ea380
                                                      SHA1:b370235425ba172a351eb7bd9c3e711029103c62
                                                      SHA256:62dcd6e23be41d2f3d5a350d909240714781431b2d8dbffea6d31cd9b4d170d1
                                                      SHA512:eaf09b4b43e24269c38e967c67e1bf83aaa5264e73d0bf6f4d533c55466ab2ecbb9d32549791ced53475d6e29863f8c0fee3821c82bd20c2e82fc0f28a134b53
                                                      SSDEEP:98304:0+X5XaVffwHHKoRdqP60SbRQTD4wP7wxJRzDSbRQTD4wP7wxJRz4:z2Uqo5+/z7wxJR6+/z7wxJRE
                                                      TLSH:1136AE03B252C866D2142BB455F5E738D6384FA17C75CA43E7E0FCA37D32A636B5260A
                                                      File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......L..A............s.......g.......g...........$...^...$...j.......................>...c...>...................i...............S..
                                                      Icon Hash:0f4d70f0ed71330f
                                                      Entrypoint:0x52d6f8
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                      DLL Characteristics:
                                                      Time Stamp:0x672B0F01 [Wed Nov 6 06:38:57 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:04c7a30e342800eb893154d4d8d3104c
                                                      Instruction
                                                      push ebp
                                                      mov ebp, esp
                                                      push FFFFFFFFh
                                                      push 007C9A78h
                                                      push 00530564h
                                                      mov eax, dword ptr fs:[00000000h]
                                                      push eax
                                                      mov dword ptr fs:[00000000h], esp
                                                      sub esp, 58h
                                                      push ebx
                                                      push esi
                                                      push edi
                                                      mov dword ptr [ebp-18h], esp
                                                      call dword ptr [005503E8h]
                                                      xor edx, edx
                                                      mov dl, ah
                                                      mov dword ptr [00828EACh], edx
                                                      mov ecx, eax
                                                      and ecx, 000000FFh
                                                      mov dword ptr [00828EA8h], ecx
                                                      shl ecx, 08h
                                                      add ecx, edx
                                                      mov dword ptr [00828EA4h], ecx
                                                      shr eax, 10h
                                                      mov dword ptr [00828EA0h], eax
                                                      push 00000001h
                                                      call 00007F1535141567h
                                                      pop ecx
                                                      test eax, eax
                                                      jne 00007F153513B54Ah
                                                      push 0000001Ch
                                                      call 00007F153513B608h
                                                      pop ecx
                                                      call 00007F1535141312h
                                                      test eax, eax
                                                      jne 00007F153513B54Ah
                                                      push 00000010h
                                                      call 00007F153513B5F7h
                                                      pop ecx
                                                      xor esi, esi
                                                      mov dword ptr [ebp-04h], esi
                                                      call 00007F1535141140h
                                                      call dword ptr [00550358h]
                                                      mov dword ptr [0082E0E4h], eax
                                                      call 00007F1535140FFEh
                                                      mov dword ptr [00828E18h], eax
                                                      call 00007F1535140DA7h
                                                      call 00007F1535140CE9h
                                                      call 00007F153513FC1Ah
                                                      mov dword ptr [ebp-30h], esi
                                                      lea eax, dword ptr [ebp-5Ch]
                                                      push eax
                                                      call dword ptr [005501C8h]
                                                      call 00007F1535140C7Ah
                                                      mov dword ptr [ebp-64h], eax
                                                      test byte ptr [ebp-30h], 00000001h
                                                      je 00007F153513B548h
                                                      movzx eax, word ptr [ebp+00h]
                                                      Programming Language:
                                                      • [C++] VS98 (6.0) SP6 build 8804
                                                      • [ C ] VS98 (6.0) SP6 build 8804
                                                      • [C++] VS98 (6.0) build 8168
                                                      • [ C ] VS98 (6.0) build 8168
                                                      • [EXP] VC++ 6.0 SP5 build 8804
                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x3d2a280x12c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x42f0000x10ce8c.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x1500000x7d8.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x14e9ce0x14f0009c02fb128765a52f5cece20e31624e3cFalse0.4091862465018657data6.417817864716353IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x1500000x2852b40x28600033823403cd4167de96eb61ef6cbcc7faunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0x3d60000x580ea0x18000a586ad8f9316ccde2b7eecb54cd1069aFalse0.3039042154947917data5.076038986374587IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x42f0000x10ce8c0x10d000e64db9b885839be50d9740fb68390968False0.4221699654391264data4.847579887280327IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      TEXTINCLUDE0x42fb9c0xbASCII text, with no line terminatorsChineseChina1.7272727272727273
                                                      TEXTINCLUDE0x42fba80x16dataChineseChina1.3636363636363635
                                                      TEXTINCLUDE0x42fbc00x151C source, ASCII text, with CRLF line terminatorsChineseChina0.6201780415430267
                                                      RT_CURSOR0x42fd140x134dataChineseChina0.5811688311688312
                                                      RT_CURSOR0x42fe480x134Targa image data - Map 64 x 65536 x 1 +32 "\001"ChineseChina0.37662337662337664
                                                      RT_CURSOR0x42ff7c0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"ChineseChina0.4805194805194805
                                                      RT_CURSOR0x4300b00xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"ChineseChina0.7
                                                      RT_BITMAP0x4301640x248Device independent bitmap graphic, 64 x 15 x 4, image size 480ChineseChina0.3407534246575342
                                                      RT_BITMAP0x4303ac0x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.4444444444444444
                                                      RT_BITMAP0x4304f00x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.26453488372093026
                                                      RT_BITMAP0x4306480x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2616279069767442
                                                      RT_BITMAP0x4307a00x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2441860465116279
                                                      RT_BITMAP0x4308f80x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.24709302325581395
                                                      RT_BITMAP0x430a500x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2238372093023256
                                                      RT_BITMAP0x430ba80x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.19476744186046513
                                                      RT_BITMAP0x430d000x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.20930232558139536
                                                      RT_BITMAP0x430e580x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.18895348837209303
                                                      RT_BITMAP0x430fb00x5e4Device independent bitmap graphic, 70 x 39 x 4, image size 1404ChineseChina0.34615384615384615
                                                      RT_BITMAP0x4315940xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80ChineseChina0.44565217391304346
                                                      RT_BITMAP0x43164c0x16cDevice independent bitmap graphic, 39 x 13 x 4, image size 260ChineseChina0.28296703296703296
                                                      RT_BITMAP0x4317b80x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.37962962962962965
                                                      RT_ICON0x4318fc0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640ChineseChina0.26344086021505375
                                                      RT_ICON0x431be40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192ChineseChina0.41216216216216217
                                                      RT_ICON0x431d0c0x108028Device independent bitmap graphic, 512 x 1024 x 32, image size 20971520.43531131744384766
                                                      RT_MENU0x539d340xcdataChineseChina1.5
                                                      RT_MENU0x539d400x284dataChineseChina0.5
                                                      RT_DIALOG0x539fc40x98dataChineseChina0.7171052631578947
                                                      RT_DIALOG0x53a05c0x17adataChineseChina0.5185185185185185
                                                      RT_DIALOG0x53a1d80xfadataChineseChina0.696
                                                      RT_DIALOG0x53a2d40xeadataChineseChina0.6239316239316239
                                                      RT_DIALOG0x53a3c00x8aedataChineseChina0.39603960396039606
                                                      RT_DIALOG0x53ac700xb2dataChineseChina0.7359550561797753
                                                      RT_DIALOG0x53ad240xccdataChineseChina0.7647058823529411
                                                      RT_DIALOG0x53adf00xb2dataChineseChina0.6629213483146067
                                                      RT_DIALOG0x53aea40xe2dataChineseChina0.6637168141592921
                                                      RT_DIALOG0x53af880x18cdataChineseChina0.5227272727272727
                                                      RT_STRING0x53b1140x50dataChineseChina0.85
                                                      RT_STRING0x53b1640x2cdataChineseChina0.5909090909090909
                                                      RT_STRING0x53b1900x78dataChineseChina0.925
                                                      RT_STRING0x53b2080x1c4dataChineseChina0.8141592920353983
                                                      RT_STRING0x53b3cc0x12adataChineseChina0.5201342281879194
                                                      RT_STRING0x53b4f80x146dataChineseChina0.6288343558282209
                                                      RT_STRING0x53b6400x40dataChineseChina0.65625
                                                      RT_STRING0x53b6800x64dataChineseChina0.73
                                                      RT_STRING0x53b6e40x1d8dataChineseChina0.6758474576271186
                                                      RT_STRING0x53b8bc0x114dataChineseChina0.6376811594202898
                                                      RT_STRING0x53b9d00x24dataChineseChina0.4444444444444444
                                                      RT_GROUP_CURSOR0x53b9f40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.25
                                                      RT_GROUP_CURSOR0x53ba080x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.25
                                                      RT_GROUP_CURSOR0x53ba1c0x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina1.0294117647058822
                                                      RT_GROUP_ICON0x53ba400x14Targa image data - Map 32 x 32808 x 161.1
                                                      RT_GROUP_ICON0x53ba540x14dataChineseChina1.2
                                                      RT_GROUP_ICON0x53ba680x14dataChineseChina1.25
                                                      RT_VERSION0x53ba7c0x240dataChineseChina0.5642361111111112
                                                      RT_MANIFEST0x53bcbc0x1cdXML 1.0 document, ASCII text, with very long lines (461), with no line terminators0.5878524945770065
                                                      DLLImport
                                                      WINMM.dllmidiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutRestart, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, waveOutClose, midiStreamStop, midiOutReset, midiStreamClose, midiStreamRestart, waveOutGetNumDevs
                                                      WS2_32.dllWSAAsyncSelect, closesocket, send, select, WSAStartup, inet_ntoa, recvfrom, ioctlsocket, recv, getpeername, accept, WSACleanup, ntohl
                                                      RASAPI32.dllRasGetConnectStatusA, RasHangUpA
                                                      KERNEL32.dllMultiByteToWideChar, SetLastError, GetTimeZoneInformation, OpenProcess, TerminateThread, FileTimeToSystemTime, CreateMutexA, ReleaseMutex, SuspendThread, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, GetFileTime, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, lstrcmpA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcmpiA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, DuplicateHandle, lstrcpynA, FileTimeToLocalFileTime, LocalFree, WideCharToMultiByte, InterlockedDecrement, InterlockedIncrement, TerminateProcess, GetCurrentProcess, GetFileSize, SetFilePointer, CreateToolhelp32Snapshot, Process32First, Process32Next, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, lstrlenW, RemoveDirectoryA, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GetDriveTypeA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, ExpandEnvironmentStringsA, GlobalAlloc, GlobalLock, GlobalUnlock, FindFirstFileA, FindClose, SetFileAttributesA, InterlockedExchange, GetFileAttributesA, DeleteFileA, GetCurrentDirectoryA, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, GetCommandLineA, GetTickCount, CreateProcessA, WaitForSingleObject, CloseHandle, RtlUnwind, GetSystemTime, GetLocalTime, RaiseException, HeapSize, GetACP, SetStdHandle, GetFileType, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, VirtualAlloc, IsBadWritePtr, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, GetVersion
                                                      USER32.dllSetWindowRgn, DestroyAcceleratorTable, GetWindow, GetActiveWindow, SetFocus, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer, SetTimer, IsIconic, PeekMessageA, SetMenu, GetMenu, DeleteMenu, GetSystemMenu, DefWindowProcA, GetClassInfoA, IsZoomed, PostQuitMessage, CopyAcceleratorTableA, GetKeyState, TranslateAcceleratorA, IsWindowEnabled, ShowWindow, SystemParametersInfoA, LoadImageA, EnumDisplaySettingsA, ClientToScreen, EnableMenuItem, GetSubMenu, GetDlgCtrlID, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, IntersectRect, DestroyIcon, PtInRect, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, CreateAcceleratorTableA, LoadStringA, GetMenuCheckMarkDimensions, GetMenuState, SetMenuItemBitmaps, CheckMenuItem, MoveWindow, IsDialogMessageA, ScrollWindowEx, SendDlgItemMessageA, MapWindowPoints, AdjustWindowRectEx, GetScrollPos, RegisterClassA, GetMenuItemCount, GetMenuItemID, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, RemovePropA, GetMessageTime, GetLastActivePopup, SetCursorPos, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, ReleaseDC, IsChild, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, WaitForInputIdle, CreateMenu, ModifyMenuA, AppendMenuA, CreatePopupMenu, DrawIconEx, CreateIconFromResource, CreateIconFromResourceEx, RegisterClipboardFormatA, SetRectEmpty, DispatchMessageA, GetMessageA, WindowFromPoint, DrawFocusRect, DrawEdge, DrawFrameControl, TranslateMessage, LoadIconA, UnregisterClassA, GetDesktopWindow, GetClassNameA, GetWindowThreadProcessId, GetDlgItem, GetWindowTextA, CallWindowProcA, CreateWindowExA, RegisterHotKey, UnregisterHotKey, SetWindowTextA, GetSysColorBrush, FindWindowA, GetWindowTextLengthA, CharUpperA, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetNextDlgTabItem, GetWindowPlacement, RegisterWindowMessageA, GetForegroundWindow
                                                      GDI32.dllPtVisible, GetViewportExtEx, ExtSelectClipRgn, LineTo, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, GetTextExtentPoint32A, GetDeviceCaps, RealizePalette, SelectPalette, StretchBlt, CreatePalette, RectVisible, CreateDIBitmap, DeleteObject, SelectClipRgn, CreatePolygonRgn, GetClipRgn, SetStretchBltMode, CreateRectRgnIndirect, SetBkColor, CreateFontA, TranslateCharsetInfo, MoveToEx, ExcludeClipRect, GetClipBox, ScaleWindowExtEx, SetWindowExtEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, TextOutA, ExtTextOutA, Escape, GetTextMetricsA, CreateCompatibleDC, BitBlt, StartPage, StartDocA, DeleteDC, EndDoc, EndPage, GetObjectA, GetStockObject, CreateFontIndirectA, CreateSolidBrush, FillRgn, CreateRectRgn, CombineRgn, PatBlt, CreatePen, SelectObject, CreateBitmap, SetViewportOrgEx, SetMapMode, SetTextColor, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, CreateDCA, CreateCompatibleBitmap, GetPolyFillMode, GetStretchBltMode, GetROP2, GetBkColor, GetBkMode, GetTextColor, CreateRoundRectRgn, CreateEllipticRgn, PathToRegion, EndPath, BeginPath, GetWindowOrgEx, GetViewportOrgEx, GetWindowExtEx, GetSystemPaletteEntries, GetDIBits
                                                      WINSPOOL.DRVOpenPrinterA, DocumentPropertiesA, ClosePrinter
                                                      ADVAPI32.dllRegQueryValueExA, RegOpenKeyExA, RegSetValueExA, RegDeleteValueA, RegQueryValueA, RegCreateKeyExA, RegOpenKeyA, RegCloseKey
                                                      SHELL32.dllShell_NotifyIconA, SHGetSpecialFolderPathA, SHChangeNotify, ShellExecuteA, DragQueryFileA, DragFinish, DragAcceptFiles
                                                      ole32.dllCLSIDFromProgID, OleRun, CoCreateInstance, CLSIDFromString, OleUninitialize, OleInitialize
                                                      OLEAUT32.dllVariantChangeType, VariantClear, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetElement, VariantCopyInd, VariantInit, SysAllocString, SafeArrayDestroy, SafeArrayGetDim, SafeArrayCreate, SafeArrayUnaccessData, UnRegisterTypeLib, LoadTypeLib, LHashValOfNameSys, RegisterTypeLib, SafeArrayPutElement, SafeArrayAccessData
                                                      COMCTL32.dllImageList_Add, ImageList_BeginDrag, ImageList_Create, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_EndDrag
                                                      WININET.dllInternetCanonicalizeUrlA, InternetCrackUrlA, HttpOpenRequestA, HttpSendRequestA, HttpQueryInfoA, InternetConnectA, InternetSetOptionA, InternetOpenA, InternetCloseHandle, InternetReadFile
                                                      comdlg32.dllChooseColorA, GetOpenFileNameA, GetFileTitleA, GetSaveFileNameA
                                                      Language of compilation systemCountry where language is spokenMap
                                                      ChineseChina
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 20, 2024 09:21:46.861053944 CET4975880192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:46.861649990 CET4975980192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:46.869204998 CET804975842.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:46.869261026 CET4975880192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:46.869965076 CET804975942.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:46.870018959 CET4975980192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:46.870161057 CET4975980192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:46.870857000 CET4975880192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:46.878421068 CET804975942.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:46.878937006 CET804975842.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:47.946599960 CET804975842.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:47.946680069 CET4975880192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:47.946718931 CET804975842.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:47.946731091 CET804975842.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:47.946754932 CET4975880192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:47.946764946 CET804975842.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:47.946777105 CET4975880192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:47.946811914 CET4975880192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:47.946857929 CET804975842.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:47.946897030 CET4975880192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:47.975423098 CET804975942.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:47.975436926 CET804975942.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:47.975509882 CET4975980192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:47.975559950 CET804975942.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:47.975573063 CET804975942.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:47.975583076 CET804975942.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:47.975610018 CET4975980192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:47.975626945 CET4975980192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:52.894475937 CET4975980192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:52.901694059 CET804975942.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:53.992697954 CET804975942.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:53.992767096 CET804975942.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:53.992769957 CET4975980192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:53.992811918 CET4975980192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:53.992816925 CET804975942.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:53.992865086 CET4975980192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:53.992937088 CET804975942.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:53.992971897 CET804975942.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:21:53.993020058 CET4975980192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:59.924892902 CET4975980192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:21:59.929883957 CET804975942.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:00.340388060 CET804975942.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:00.340399027 CET804975942.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:00.340451956 CET4975980192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:01.452999115 CET4985080192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:01.458017111 CET804985042.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:01.458103895 CET4985080192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:01.458440065 CET4985080192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:01.463352919 CET804985042.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:01.464898109 CET4985180192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:01.469799995 CET804985142.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:01.469890118 CET4985180192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:01.471618891 CET4985180192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:01.477392912 CET804985142.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:02.551242113 CET804985142.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:02.551264048 CET804985142.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:02.551280022 CET804985142.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:02.551322937 CET4985180192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:02.551361084 CET804985142.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:02.551368952 CET4985180192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:02.551393032 CET4985180192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:02.551477909 CET804985142.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:02.551525116 CET4985180192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:02.553563118 CET804985042.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:02.553597927 CET804985042.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:02.553611040 CET804985042.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:02.553672075 CET4985080192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:02.553731918 CET804985042.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:02.553787947 CET804985042.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:02.553802013 CET804985042.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:02.553833961 CET4985080192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:02.553858995 CET4985080192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:07.768471003 CET4985080192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:07.776015043 CET804985042.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:08.147660017 CET804985042.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:08.147680998 CET804985042.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:08.147695065 CET804985042.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:08.147725105 CET4985080192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:08.147753954 CET4985080192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:08.147763968 CET804985042.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:08.147775888 CET804985042.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:08.147825003 CET4985080192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:14.798880100 CET4985080192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:14.995876074 CET804985042.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:15.376276016 CET804985042.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:15.376342058 CET804985042.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:22:15.376353979 CET4985080192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:22:15.376396894 CET4985080192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:23:36.767343044 CET4975980192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:23:36.767370939 CET4975880192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:23:36.773941994 CET804975942.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:23:36.773957014 CET804975842.193.100.57192.168.2.9
                                                      Nov 20, 2024 09:23:36.774018049 CET4975980192.168.2.942.193.100.57
                                                      Nov 20, 2024 09:23:36.774029970 CET4975880192.168.2.942.193.100.57
                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Nov 20, 2024 09:21:37.771127939 CET1.1.1.1192.168.2.90x575cNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                      Nov 20, 2024 09:21:37.771127939 CET1.1.1.1192.168.2.90x575cNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                      • 42.193.100.57
                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.94975942.193.100.57807260C:\Users\user\Desktop\215.exe
                                                      TimestampBytes transferredDirectionData
                                                      Nov 20, 2024 09:21:46.870161057 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                      Accept: */*
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                      Host: 42.193.100.57
                                                      Cache-Control: no-cache
                                                      Nov 20, 2024 09:21:47.975423098 CET1236INHTTP/1.1 200 OK
                                                      Content-Type: text/plain
                                                      Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                      Accept-Ranges: bytes
                                                      ETag: "c04e101e3bdb1:0"
                                                      Server: Microsoft-IIS/8.5
                                                      Date: Wed, 20 Nov 2024 08:21:47 GMT
                                                      Content-Length: 5139
                                                      Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                      Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                      Nov 20, 2024 09:21:47.975436926 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                      Data Ascii: T4
                                                      Nov 20, 2024 09:21:47.975559950 CET1236INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                                                      Data Ascii: 2III322
                                                      Nov 20, 2024 09:21:47.975573063 CET1236INData Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae
                                                      Data Ascii: ORPG2
                                                      Nov 20, 2024 09:21:47.975583076 CET419INData Raw: 0a be f8 b6 d4 b7 c0 ca d8 32 0d 0a bb c3 cf eb b7 e7 bb aa c2 bc 0d 0a bd a8 bb f9 b5 d8 b1 a9 b4 f2 b2 bb cb c0 d7 e5 0d 0a cc ec c3 fc d4 da ce d2 0d 0a cd f2 bd e7 c9 f1 d7 f0 0d 0a c3 ce bc a3 c9 b3 ba d3 34 0d 0a bb c3 da a4 ca a5 bd e7 0d
                                                      Data Ascii: 242323
                                                      Nov 20, 2024 09:21:52.894475937 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                      Accept: */*
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                      Host: 42.193.100.57
                                                      Cache-Control: no-cache
                                                      Nov 20, 2024 09:21:53.992697954 CET1236INHTTP/1.1 200 OK
                                                      Content-Type: text/plain
                                                      Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                      Accept-Ranges: bytes
                                                      ETag: "c04e101e3bdb1:0"
                                                      Server: Microsoft-IIS/8.5
                                                      Date: Wed, 20 Nov 2024 08:21:53 GMT
                                                      Content-Length: 5139
                                                      Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                      Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                      Nov 20, 2024 09:21:53.992767096 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                      Data Ascii: T4
                                                      Nov 20, 2024 09:21:53.992816925 CET1236INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                                                      Data Ascii: 2III322
                                                      Nov 20, 2024 09:21:53.992937088 CET1236INData Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae
                                                      Data Ascii: ORPG2
                                                      Nov 20, 2024 09:21:53.992971897 CET419INData Raw: 0a be f8 b6 d4 b7 c0 ca d8 32 0d 0a bb c3 cf eb b7 e7 bb aa c2 bc 0d 0a bd a8 bb f9 b5 d8 b1 a9 b4 f2 b2 bb cb c0 d7 e5 0d 0a cc ec c3 fc d4 da ce d2 0d 0a cd f2 bd e7 c9 f1 d7 f0 0d 0a c3 ce bc a3 c9 b3 ba d3 34 0d 0a bb c3 da a4 ca a5 bd e7 0d
                                                      Data Ascii: 242323
                                                      Nov 20, 2024 09:21:59.924892902 CET164OUTGET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1
                                                      Accept: */*
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                      Host: 42.193.100.57
                                                      Cache-Control: no-cache
                                                      Nov 20, 2024 09:22:00.340388060 CET1236INHTTP/1.1 404 Not Found
                                                      Content-Type: text/html
                                                      Server: Microsoft-IIS/8.5
                                                      Date: Wed, 20 Nov 2024 08:21:59 GMT
                                                      Content-Length: 1163
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-container"><fieldset> [TRUNCATED]
                                                      Nov 20, 2024 09:22:00.340399027 CET64INData Raw: dd ca b1 b2 bb bf c9 d3 c3 a1 a3 3c 2f 68 33 3e 0d 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: </h3> </fieldset></div></div></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.94975842.193.100.57807260C:\Users\user\Desktop\215.exe
                                                      TimestampBytes transferredDirectionData
                                                      Nov 20, 2024 09:21:46.870857000 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                      Accept: */*
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                      Host: 42.193.100.57
                                                      Cache-Control: no-cache
                                                      Nov 20, 2024 09:21:47.946599960 CET1236INHTTP/1.1 200 OK
                                                      Content-Type: text/plain
                                                      Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                      Accept-Ranges: bytes
                                                      ETag: "c04e101e3bdb1:0"
                                                      Server: Microsoft-IIS/8.5
                                                      Date: Wed, 20 Nov 2024 08:21:47 GMT
                                                      Content-Length: 5139
                                                      Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                      Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                      Nov 20, 2024 09:21:47.946718931 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                      Data Ascii: T4
                                                      Nov 20, 2024 09:21:47.946731091 CET1236INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                                                      Data Ascii: 2III322
                                                      Nov 20, 2024 09:21:47.946764946 CET1236INData Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae
                                                      Data Ascii: ORPG2
                                                      Nov 20, 2024 09:21:47.946857929 CET419INData Raw: 0a be f8 b6 d4 b7 c0 ca d8 32 0d 0a bb c3 cf eb b7 e7 bb aa c2 bc 0d 0a bd a8 bb f9 b5 d8 b1 a9 b4 f2 b2 bb cb c0 d7 e5 0d 0a cc ec c3 fc d4 da ce d2 0d 0a cd f2 bd e7 c9 f1 d7 f0 0d 0a c3 ce bc a3 c9 b3 ba d3 34 0d 0a bb c3 da a4 ca a5 bd e7 0d
                                                      Data Ascii: 242323


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.94985042.193.100.57807584C:\Users\user\Desktop\215.exe
                                                      TimestampBytes transferredDirectionData
                                                      Nov 20, 2024 09:22:01.458440065 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                      Accept: */*
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                      Host: 42.193.100.57
                                                      Cache-Control: no-cache
                                                      Nov 20, 2024 09:22:02.553563118 CET1236INHTTP/1.1 200 OK
                                                      Content-Type: text/plain
                                                      Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                      Accept-Ranges: bytes
                                                      ETag: "c04e101e3bdb1:0"
                                                      Server: Microsoft-IIS/8.5
                                                      Date: Wed, 20 Nov 2024 08:22:02 GMT
                                                      Content-Length: 5139
                                                      Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                      Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                      Nov 20, 2024 09:22:02.553597927 CET224INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                      Data Ascii: T4
                                                      Nov 20, 2024 09:22:02.553611040 CET1236INData Raw: 0d 0a ce d2 d2 aa b4 f2 bd a9 ca ac 0d 0a d2 bb c9 ed d1 fd d7 b0 0d 0a ce d2 c4 dc b4 b3 bc b8 b9 d8 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 0d 0a bf aa cf e4 c9 fa b4 e6 0d 0a ca ae b5 ee d1 d6 c2 de 32 b2 e2 ca d4 0d 0a c6 e5 c5 cc ce
                                                      Data Ascii: 2II2T
                                                      Nov 20, 2024 09:22:02.553731918 CET1236INData Raw: ae c3 fc d4 cb 0d 0a ca ae b5 ee d1 d6 c2 de 32 d7 a8 cb a2 c8 a8 cf de 0d 0a d0 a1 d0 a1 bd a3 ca a5 d7 a8 cb a2 c8 a8 cf de 0d 0a d2 bb c4 ee cd a8 cc ec d7 a8 cb a2 c8 a8 cf de 0d 0a cb c4 c9 fa ca d3 bd e7 d7 a8 cb a2 c8 a8 cf de 0d 0a b7 e7
                                                      Data Ascii: 2F38.26
                                                      Nov 20, 2024 09:22:02.553787947 CET1236INData Raw: af 0d 0a b7 e8 bf f1 b4 f2 bd f0 0d 0a cc b0 c0 b7 bf f3 bf d3 0d 0a c7 f3 cf c9 cc ec b5 c0 54 44 0d 0a b3 d4 ca e9 c9 fa b4 e6 0d 0a ba da bb ea c6 f4 ca be c2 bc 0d 0a ce d2 d4 da c3 f7 c4 a9 b5 b1 bd ab be fc 0d 0a be f8 ca c0 ce e4 bb ea 0d
                                                      Data Ascii: TD7
                                                      Nov 20, 2024 09:22:02.553802013 CET195INData Raw: d2 bb c9 ed c9 f1 d7 b0 33 0d 0a cc a4 cb e9 c8 fd bd e7 0d 0a d5 b6 d4 c2 cd c0 c1 fa 0d 0a d0 fe bb f0 b2 d4 f1 b7 0d 0a d3 a2 d0 db c2 b7 0d 0a be fc cd c5 d5 bd d5 f9 35 0d 0a b0 b5 ba da d1 ad bb b7 c8 a6 0d 0a c3 ce bc a3 c9 b3 ba d3 32 0d
                                                      Data Ascii: 35222
                                                      Nov 20, 2024 09:22:07.768471003 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                      Accept: */*
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                      Host: 42.193.100.57
                                                      Cache-Control: no-cache
                                                      Nov 20, 2024 09:22:08.147660017 CET1236INHTTP/1.1 200 OK
                                                      Content-Type: text/plain
                                                      Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                      Accept-Ranges: bytes
                                                      ETag: "c04e101e3bdb1:0"
                                                      Server: Microsoft-IIS/8.5
                                                      Date: Wed, 20 Nov 2024 08:22:08 GMT
                                                      Content-Length: 5139
                                                      Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                      Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                      Nov 20, 2024 09:22:08.147680998 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                      Data Ascii: T4
                                                      Nov 20, 2024 09:22:08.147695065 CET1236INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                                                      Data Ascii: 2III322
                                                      Nov 20, 2024 09:22:08.147763968 CET1236INData Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae
                                                      Data Ascii: ORPG2
                                                      Nov 20, 2024 09:22:08.147775888 CET419INData Raw: 0a be f8 b6 d4 b7 c0 ca d8 32 0d 0a bb c3 cf eb b7 e7 bb aa c2 bc 0d 0a bd a8 bb f9 b5 d8 b1 a9 b4 f2 b2 bb cb c0 d7 e5 0d 0a cc ec c3 fc d4 da ce d2 0d 0a cd f2 bd e7 c9 f1 d7 f0 0d 0a c3 ce bc a3 c9 b3 ba d3 34 0d 0a bb c3 da a4 ca a5 bd e7 0d
                                                      Data Ascii: 242323
                                                      Nov 20, 2024 09:22:14.798880100 CET164OUTGET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1
                                                      Accept: */*
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                      Host: 42.193.100.57
                                                      Cache-Control: no-cache
                                                      Nov 20, 2024 09:22:15.376276016 CET1236INHTTP/1.1 404 Not Found
                                                      Content-Type: text/html
                                                      Server: Microsoft-IIS/8.5
                                                      Date: Wed, 20 Nov 2024 08:22:15 GMT
                                                      Content-Length: 1163
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-container"><fieldset> [TRUNCATED]
                                                      Nov 20, 2024 09:22:15.376342058 CET64INData Raw: dd ca b1 b2 bb bf c9 d3 c3 a1 a3 3c 2f 68 33 3e 0d 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: </h3> </fieldset></div></div></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.94985142.193.100.57807584C:\Users\user\Desktop\215.exe
                                                      TimestampBytes transferredDirectionData
                                                      Nov 20, 2024 09:22:01.471618891 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                      Accept: */*
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                      Host: 42.193.100.57
                                                      Cache-Control: no-cache
                                                      Nov 20, 2024 09:22:02.551242113 CET1236INHTTP/1.1 200 OK
                                                      Content-Type: text/plain
                                                      Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                      Accept-Ranges: bytes
                                                      ETag: "c04e101e3bdb1:0"
                                                      Server: Microsoft-IIS/8.5
                                                      Date: Wed, 20 Nov 2024 08:22:02 GMT
                                                      Content-Length: 5139
                                                      Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                      Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                      Nov 20, 2024 09:22:02.551264048 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                      Data Ascii: T4
                                                      Nov 20, 2024 09:22:02.551280022 CET1236INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                                                      Data Ascii: 2III322
                                                      Nov 20, 2024 09:22:02.551361084 CET1236INData Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae
                                                      Data Ascii: ORPG2
                                                      Nov 20, 2024 09:22:02.551477909 CET419INData Raw: 0a be f8 b6 d4 b7 c0 ca d8 32 0d 0a bb c3 cf eb b7 e7 bb aa c2 bc 0d 0a bd a8 bb f9 b5 d8 b1 a9 b4 f2 b2 bb cb c0 d7 e5 0d 0a cc ec c3 fc d4 da ce d2 0d 0a cd f2 bd e7 c9 f1 d7 f0 0d 0a c3 ce bc a3 c9 b3 ba d3 34 0d 0a bb c3 da a4 ca a5 bd e7 0d
                                                      Data Ascii: 242323


                                                      Click to jump to process

                                                      Click to jump to process

                                                      Click to dive into process behavior distribution

                                                      Click to jump to process

                                                      Target ID:0
                                                      Start time:03:21:44
                                                      Start date:20/11/2024
                                                      Path:C:\Users\user\Desktop\215.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\215.exe"
                                                      Imagebase:0x400000
                                                      File size:5'222'400 bytes
                                                      MD5 hash:4D18783059031DEA15C1FF32F60EA380
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:false

                                                      Target ID:4
                                                      Start time:03:21:59
                                                      Start date:20/11/2024
                                                      Path:C:\Users\user\Desktop\215.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\215.exe"
                                                      Imagebase:0x400000
                                                      File size:5'222'400 bytes
                                                      MD5 hash:4D18783059031DEA15C1FF32F60EA380
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:false

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:6.7%
                                                        Dynamic/Decrypted Code Coverage:51.7%
                                                        Signature Coverage:36%
                                                        Total number of Nodes:662
                                                        Total number of Limit Nodes:24
                                                        execution_graph 22110 10027c00 GetProcessHeap HeapReAlloc HeapAlloc 22113 10027008 6 API calls 22114 10029610 FreeLibrary 22178 10026f15 21 API calls 22117 10027218 30 API calls 22118 10026c1e 22 API calls 22119 1001221f 70 API calls 22123 10026e2e 34 API calls 22183 10026f34 34 API calls 22184 530564 RtlUnwind 22185 10026d35 85 API calls 22128 100249fb 24 API calls 22129 4cc670 70 API calls 22130 10026c3d 21 API calls 21316 10027c40 21317 10027c86 21316->21317 21318 10027c4d 21316->21318 21319 10027c56 21318->21319 21321 10027c5b 21318->21321 21324 10027ae0 GetModuleHandleA 21319->21324 21321->21317 21322 10027c6b IsBadReadPtr 21321->21322 21322->21317 21323 10027c78 RtlFreeHeap 21322->21323 21323->21317 21324->21321 21719 53f61b 21722 52ef0e 21719->21722 21723 52efe8 21722->21723 21724 52ef3c 21722->21724 21725 52ef46 21724->21725 21726 52ef81 21724->21726 21739 535e34 29 API calls 21725->21739 21737 52ef72 21726->21737 21742 535e34 29 API calls 21726->21742 21728 52efda RtlFreeHeap 21728->21723 21730 52ef4d 21731 52ef67 21730->21731 21740 5370b8 VirtualFree VirtualFree HeapFree 21730->21740 21741 52ef78 LeaveCriticalSection 21731->21741 21734 52efb9 21744 52efd0 LeaveCriticalSection 21734->21744 21735 52ef8d 21735->21734 21743 537e3f VirtualFree HeapFree VirtualFree 21735->21743 21737->21723 21737->21728 21739->21730 21740->21731 21741->21737 21742->21735 21743->21734 21744->21737 21325 10027a50 21326 10027a61 21325->21326 21327 10027a8a 21325->21327 21326->21327 21328 10027a64 21326->21328 21343 10026b52 ReleaseMutex 21327->21343 21337 10027aa0 GetProcessHeap 21328->21337 21331 10027a9b 21336 10027a85 21338 10027a6f 21337->21338 21339 10029790 21338->21339 21344 10027474 21339->21344 21342 10026b52 ReleaseMutex 21342->21336 21343->21331 21345 1002747c 21344->21345 21348 10018a96 21345->21348 21347 10027481 21347->21342 21349 10018aab 21348->21349 21352 10018ad3 21349->21352 21351 10018ab0 21351->21347 21353 10018aee 21352->21353 21399 10018eea CreateMutexA 21353->21399 21355 10018af3 21356 10018eea CreateMutexA 21355->21356 21357 10018afd HeapCreate 21356->21357 21358 10018b23 21357->21358 21359 10018b3a HeapCreate 21357->21359 21358->21359 21360 10018b60 21359->21360 21401 1000188f 21360->21401 21362 10018bc0 21407 1000b61e 21362->21407 21364 10018bdc 21365 1000188f 17 API calls 21364->21365 21366 10018c3b 21365->21366 21367 1000b61e 7 API calls 21366->21367 21368 10018c57 21367->21368 21369 1000188f 17 API calls 21368->21369 21370 10018cb6 21369->21370 21371 1000b61e 7 API calls 21370->21371 21372 10018cd2 21371->21372 21373 1000188f 17 API calls 21372->21373 21374 10018d31 21373->21374 21375 1000b61e 7 API calls 21374->21375 21376 10018d4d 21375->21376 21377 1000188f 17 API calls 21376->21377 21378 10018dac 21377->21378 21379 1000b61e 7 API calls 21378->21379 21380 10018dc8 21379->21380 21413 1000710e 21380->21413 21382 10018df2 21423 10018f34 21382->21423 21384 10018dfc 21437 100191e3 21384->21437 21386 10018e06 21449 1000ff10 21386->21449 21388 10018e37 21458 100114f9 21388->21458 21390 10018e43 21391 1000ff10 18 API calls 21390->21391 21392 10018e8f 21391->21392 21393 100114f9 18 API calls 21392->21393 21394 10018e9b 21393->21394 21464 10019f4c 21394->21464 21398 10018ecc 21398->21351 21400 10018f14 21399->21400 21400->21355 21406 100018bd 21401->21406 21402 10001ac2 21475 100283f0 21402->21475 21405 10001ae8 21405->21362 21406->21402 21502 10028090 _CIfmod 21406->21502 21408 1000b631 21407->21408 21514 1000b75c 21408->21514 21410 1000b65c 21411 1000b6cb LdrGetDllHandleEx 21410->21411 21412 1000b6ee 21411->21412 21412->21364 21414 10007121 21413->21414 21415 100071de GetVersionExA 21414->21415 21416 10007273 21415->21416 21537 10027ca0 21416->21537 21418 100072d2 21419 10007362 GetSystemInfo 21418->21419 21422 100074c6 21418->21422 21420 100073f5 21419->21420 21421 10007495 RtlGetNtVersionNumbers 21420->21421 21421->21422 21422->21382 21424 10018f4e 21423->21424 21426 10018f7e 21424->21426 21545 100289c0 21424->21545 21426->21384 21427 10018fad 21428 1000b61e 7 API calls 21427->21428 21429 10019053 21428->21429 21430 1000188f 17 API calls 21429->21430 21431 10019077 21430->21431 21432 10019081 21431->21432 21550 10006051 LdrGetProcedureAddress 21432->21550 21434 1001918a 21434->21426 21435 100190a4 21435->21434 21551 10001d56 IsBadCodePtr 21435->21551 21438 10019205 21437->21438 21440 10019212 21438->21440 21553 100188e1 21438->21553 21440->21386 21441 10019221 21558 100193c2 21441->21558 21443 100192bd 21444 100193c2 38 API calls 21443->21444 21445 10019331 21444->21445 21578 100198cc 25 API calls 21445->21578 21447 1001936a 21579 100198cc 25 API calls 21447->21579 21601 10027f20 21449->21601 21451 1000ff39 21452 10027f20 4 API calls 21451->21452 21453 1000ff58 21452->21453 21454 1000ffe0 RtlComputeCrc32 21453->21454 21455 10010003 21454->21455 21614 10010057 21455->21614 21457 10010034 21457->21388 21459 1001150f 21458->21459 21463 10011520 21458->21463 21460 1000188f 17 API calls 21459->21460 21460->21463 21461 10001d56 IsBadCodePtr 21462 1001161a 21461->21462 21462->21390 21463->21461 21465 10018ec7 21464->21465 21466 10019f74 21464->21466 21474 1001a236 47 API calls 21465->21474 21637 10019ff3 21466->21637 21470 10019fa2 21471 10019fd3 21470->21471 21473 1001a0ce 21 API calls 21470->21473 21646 10007fdd 21471->21646 21473->21470 21474->21398 21476 10028478 21475->21476 21477 1002840f 21475->21477 21478 10028483 21476->21478 21479 10028574 21476->21479 21501 10028674 21477->21501 21503 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21477->21503 21480 10028489 21478->21480 21481 1002854f sprintf 21478->21481 21482 100285f2 21479->21482 21483 1002857b 21479->21483 21488 10028517 21480->21488 21489 100284f9 21480->21489 21490 1002858f sprintf 21480->21490 21494 1002849e 21480->21494 21480->21501 21481->21494 21486 1002862a sprintf 21482->21486 21487 100285f9 21482->21487 21484 100285ce sprintf 21483->21484 21485 1002857d 21483->21485 21484->21494 21491 10028584 21485->21491 21492 100285ae sprintf 21485->21492 21486->21494 21493 10028604 sprintf 21487->21493 21487->21501 21505 10029dc0 6 API calls 21488->21505 21504 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21489->21504 21490->21494 21491->21490 21491->21501 21492->21494 21493->21494 21494->21501 21506 10027bb0 21494->21506 21498 10028469 21498->21405 21499 10028508 21499->21405 21501->21405 21502->21406 21503->21498 21504->21499 21505->21494 21507 10027bc4 RtlAllocateHeap 21506->21507 21508 10027bb9 GetProcessHeap 21506->21508 21509 10027bf5 21507->21509 21510 10027bd9 MessageBoxA 21507->21510 21508->21507 21509->21501 21513 10027b10 ExitProcess 21510->21513 21512 10027bf2 21512->21509 21513->21512 21515 1000b76f 21514->21515 21518 1000210d 21515->21518 21517 1000b7c1 21517->21410 21519 1000212e 21518->21519 21520 10002149 MultiByteToWideChar 21519->21520 21521 10002178 21520->21521 21529 100021b9 21521->21529 21530 100280c0 21521->21530 21523 100021dc 21524 1000220e MultiByteToWideChar 21523->21524 21525 10002239 21524->21525 21525->21529 21535 100286c0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21525->21535 21527 100022ce 21527->21529 21536 100286f0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21527->21536 21529->21517 21531 100280c9 21530->21531 21532 100280cd 21530->21532 21531->21523 21533 10027bb0 4 API calls 21532->21533 21534 100280d6 21533->21534 21534->21523 21535->21527 21536->21529 21538 10027cb1 21537->21538 21541 10027cb6 21537->21541 21544 10027ae0 GetModuleHandleA 21538->21544 21540 10027d14 21540->21418 21541->21540 21542 10027bb0 4 API calls 21541->21542 21543 10027cf9 21542->21543 21543->21418 21544->21541 21546 100289c9 21545->21546 21547 100289cd 21545->21547 21546->21427 21548 10027bb0 4 API calls 21547->21548 21549 100289d8 21548->21549 21549->21427 21550->21435 21552 10001d82 21551->21552 21552->21434 21554 100289c0 4 API calls 21553->21554 21555 1001890c 21554->21555 21556 10018926 GetSystemDirectoryA 21555->21556 21557 10018944 21556->21557 21557->21441 21559 100193ea 21558->21559 21580 100294c0 21559->21580 21561 10019463 21562 1001947d CopyFileA 21561->21562 21564 100194a0 21562->21564 21587 10028d40 CreateFileA 21564->21587 21565 100194da 21566 10028d40 8 API calls 21565->21566 21567 10019550 21565->21567 21566->21567 21592 10028e50 DeleteFileA 21567->21592 21569 1001959d 21593 10006495 21569->21593 21571 100195b3 21572 100195e3 RtlAllocateHeap 21571->21572 21575 10019832 21571->21575 21573 1001960e 21572->21573 21599 10008edd 26 API calls 21573->21599 21575->21443 21577 1001966e 21600 100094fb 26 API calls 21577->21600 21578->21447 21579->21440 21581 100294d1 GetTempPathA 21580->21581 21582 100294e5 21580->21582 21581->21582 21583 10029543 GetTickCount wsprintfA PathFileExistsA 21582->21583 21583->21583 21584 1002956b 21583->21584 21585 10027bb0 4 API calls 21584->21585 21586 1002957f 21585->21586 21586->21561 21588 10028d64 GetFileSize 21587->21588 21589 10028da9 21587->21589 21590 10027bb0 4 API calls 21588->21590 21589->21565 21591 10028d7d ReadFile CloseHandle 21590->21591 21591->21589 21592->21569 21594 100064ad 21593->21594 21595 1000679e 21594->21595 21596 1000652f RtlMoveMemory 21594->21596 21595->21571 21597 10006669 21596->21597 21598 10027ca0 5 API calls 21597->21598 21598->21595 21599->21577 21600->21575 21602 10027f40 21601->21602 21604 10027f80 21602->21604 21605 10027f4c 21602->21605 21603 10027feb 21603->21451 21604->21603 21606 10027f9b 21604->21606 21610 10027fc2 21604->21610 21622 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21605->21622 21623 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21606->21623 21609 10027fb8 21609->21451 21624 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21610->21624 21611 10027f76 21611->21451 21613 10027fe1 21613->21451 21615 1001006f 21614->21615 21616 100283f0 16 API calls 21615->21616 21617 10010097 21616->21617 21625 10028ad0 21617->21625 21619 100100cc 21632 10028b30 21619->21632 21621 10010173 21621->21457 21622->21611 21623->21609 21624->21613 21626 10028b23 21625->21626 21627 10028ae4 21625->21627 21626->21619 21627->21626 21628 10027bb0 4 API calls 21627->21628 21629 10028afa 21628->21629 21630 10028b05 strncpy 21629->21630 21631 10028b19 21629->21631 21630->21630 21630->21631 21631->21619 21633 10028b91 21632->21633 21634 10028b45 21632->21634 21633->21621 21634->21633 21635 10027bb0 4 API calls 21634->21635 21636 10028b68 21635->21636 21636->21621 21638 1001a00d 21637->21638 21651 1001a031 21638->21651 21641 1001a0ce 21642 10027f20 4 API calls 21641->21642 21643 1001a0f7 21642->21643 21666 1001a199 21643->21666 21645 1001a16d 21645->21470 21647 100280c0 4 API calls 21646->21647 21648 1000800f 21647->21648 21677 10007db8 21648->21677 21650 10008052 21650->21465 21652 1001a047 21651->21652 21660 1001a0a1 21651->21660 21653 1000188f 17 API calls 21652->21653 21655 1001a058 21653->21655 21665 100031b3 6 API calls 21655->21665 21656 10019f88 21656->21465 21656->21641 21658 1001a074 21659 1001a087 InterlockedExchange 21658->21659 21659->21660 21661 10004b1b 21660->21661 21662 10004b3d 21661->21662 21664 10004b2e 21661->21664 21662->21662 21663 10004baa LdrInitializeThunk 21662->21663 21662->21664 21663->21656 21664->21656 21665->21658 21667 1001a1af 21666->21667 21675 1001a209 21666->21675 21669 1000188f 17 API calls 21667->21669 21668 10004b1b LdrInitializeThunk 21670 1001a22b 21668->21670 21671 1001a1c0 21669->21671 21670->21645 21676 100031b3 6 API calls 21671->21676 21673 1001a1dc 21674 1001a1ef InterlockedExchange 21673->21674 21674->21675 21675->21668 21676->21673 21678 10007dce 21677->21678 21679 10007e28 21677->21679 21680 1000188f 17 API calls 21678->21680 21681 10004b1b LdrInitializeThunk 21679->21681 21682 10007ddf 21680->21682 21683 10007e4a 21681->21683 21687 100031b3 6 API calls 21682->21687 21683->21650 21685 10007dfb 21686 10007e0e InterlockedExchange 21685->21686 21686->21679 21687->21685 22134 10027050 62 API calls 22190 10011753 DispatchMessageA CallWindowProcA 22139 1002706f 46 API calls 22196 10026d73 88 API calls 22197 10026b71 23 API calls 22199 1002572d 23 API calls 22141 10026c7b HeapAlloc 22201 10026f7c 45 API calls 22144 1002708e 33 API calls 22205 10027192 59 API calls 22208 10026f9b 23 API calls 22147 10026e99 89 API calls 21688 52eff7 21691 52f009 21688->21691 21692 52f006 21691->21692 21694 52f010 21691->21694 21694->21692 21695 52f035 21694->21695 21696 52f062 21695->21696 21698 52f0a5 21695->21698 21702 52f090 21696->21702 21713 535e34 29 API calls 21696->21713 21701 52f0c7 21698->21701 21698->21702 21699 52f078 21714 5373e1 HeapReAlloc HeapAlloc VirtualAlloc HeapFree VirtualAlloc 21699->21714 21700 52f114 RtlAllocateHeap 21710 52f097 21700->21710 21716 535e34 29 API calls 21701->21716 21702->21700 21702->21710 21705 52f083 21715 52f09c LeaveCriticalSection 21705->21715 21706 52f0ce 21717 537e84 6 API calls 21706->21717 21709 52f0e1 21718 52f0fb LeaveCriticalSection 21709->21718 21710->21694 21712 52f0ee 21712->21702 21712->21710 21713->21699 21714->21705 21715->21702 21716->21706 21717->21709 21718->21712 21745 52d6f8 GetVersion 21777 533778 HeapCreate 21745->21777 21747 52d756 21748 52d763 21747->21748 21749 52d75b 21747->21749 21789 533535 37 API calls 21748->21789 21797 52d825 8 API calls 21749->21797 21753 52d768 21754 52d774 21753->21754 21755 52d76c 21753->21755 21790 533379 34 API calls 21754->21790 21798 52d825 8 API calls 21755->21798 21759 52d77e GetCommandLineA 21791 533247 37 API calls 21759->21791 21761 52d78e 21799 532ffa 49 API calls 21761->21799 21763 52d798 21792 532f41 48 API calls 21763->21792 21765 52d79d 21766 52d7a2 GetStartupInfoA 21765->21766 21793 532ee9 48 API calls 21766->21793 21768 52d7b4 21769 52d7bd 21768->21769 21770 52d7c6 GetModuleHandleA 21769->21770 21794 53d05e 21770->21794 21774 52d7e1 21801 532d71 36 API calls 21774->21801 21776 52d7f2 21778 533798 21777->21778 21779 5337ce 21777->21779 21802 533630 57 API calls 21778->21802 21779->21747 21781 53379d 21782 5337a7 21781->21782 21785 5337b4 21781->21785 21803 537045 HeapAlloc 21782->21803 21784 5337d1 21784->21747 21785->21784 21804 537b8c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 21785->21804 21786 5337b1 21786->21784 21788 5337c2 HeapDestroy 21786->21788 21788->21779 21789->21753 21790->21759 21791->21761 21792->21765 21793->21768 21805 5458bb 21794->21805 21799->21763 21800 531ea4 32 API calls 21800->21774 21801->21776 21802->21781 21803->21786 21804->21786 21816 54461c 21805->21816 21813 52d7d8 21813->21800 21814 545902 21844 54a8ff 68 API calls 21814->21844 21845 549215 21816->21845 21819 54462d 21821 5491ef 21819->21821 21820 5491ef 65 API calls 21820->21819 21822 549777 65 API calls 21821->21822 21823 5491fe 21822->21823 21824 5458cd 21823->21824 21874 54980c 21823->21874 21826 54a040 SetErrorMode SetErrorMode 21824->21826 21827 5491ef 65 API calls 21826->21827 21828 54a057 21827->21828 21829 5491ef 65 API calls 21828->21829 21831 54a066 21829->21831 21830 54a08c 21833 5491ef 65 API calls 21830->21833 21831->21830 21882 54a0a3 21831->21882 21834 54a091 21833->21834 21835 5458e5 21834->21835 21901 544631 21834->21901 21835->21814 21837 53f71e 21835->21837 21840 53f733 21837->21840 21842 53f72a 21837->21842 21838 53f73b 21925 52d57c 21838->21925 21840->21838 21841 53f77a 21840->21841 21932 53f5f2 29 API calls 21841->21932 21842->21814 21844->21813 21846 5491ef 65 API calls 21845->21846 21847 54921a 21846->21847 21850 549777 21847->21850 21851 549780 21850->21851 21852 5497ad TlsGetValue 21850->21852 21854 54979a 21851->21854 21871 549377 65 API calls 21851->21871 21853 5497c0 21852->21853 21857 544621 21853->21857 21858 5497d3 21853->21858 21861 549410 EnterCriticalSection 21854->21861 21856 5497ab 21856->21852 21857->21819 21857->21820 21872 54957f 65 API calls 21858->21872 21862 54942f 21861->21862 21864 54947c GlobalHandle GlobalUnlock GlobalReAlloc 21862->21864 21865 549469 GlobalAlloc 21862->21865 21870 5494eb 21862->21870 21863 549500 LeaveCriticalSection 21863->21856 21866 54949e 21864->21866 21865->21866 21867 5494c7 GlobalLock 21866->21867 21868 5494ac GlobalHandle GlobalLock LeaveCriticalSection 21866->21868 21867->21870 21873 53d901 65 API calls __EH_prolog 21868->21873 21870->21863 21871->21854 21872->21857 21873->21867 21875 549816 __EH_prolog 21874->21875 21876 549844 21875->21876 21880 54a4bc 6 API calls 21875->21880 21876->21824 21878 54982d 21881 54a52c LeaveCriticalSection 21878->21881 21880->21878 21881->21876 21883 5491ef 65 API calls 21882->21883 21884 54a0b6 GetModuleFileNameA 21883->21884 21912 52f6c7 29 API calls 21884->21912 21886 54a0e8 21913 54a1c0 lstrlenA lstrcpynA 21886->21913 21888 54a104 21889 54a11a 21888->21889 21918 531e4c 29 API calls 21888->21918 21900 54a154 21889->21900 21914 5451a1 21889->21914 21892 54a16c lstrcpyA 21920 531e4c 29 API calls 21892->21920 21894 54a196 lstrcatA 21921 531e4c 29 API calls 21894->21921 21895 54a1b4 21895->21830 21897 54a187 21897->21894 21897->21895 21900->21892 21900->21897 21902 5491ef 65 API calls 21901->21902 21903 544636 21902->21903 21911 54468e 21903->21911 21922 548fb8 21903->21922 21906 54980c 7 API calls 21907 54466c 21906->21907 21908 5491ef 65 API calls 21907->21908 21910 544679 21907->21910 21908->21910 21909 549777 65 API calls 21909->21911 21910->21909 21911->21835 21912->21886 21913->21888 21915 5491ef 65 API calls 21914->21915 21916 5451a7 LoadStringA 21915->21916 21917 5451c2 21916->21917 21919 531e4c 29 API calls 21917->21919 21918->21889 21919->21900 21920->21897 21921->21895 21923 549777 65 API calls 21922->21923 21924 544642 GetCurrentThreadId SetWindowsHookExA 21923->21924 21924->21906 21933 530f64 21925->21933 21927 52d586 EnterCriticalSection 21928 52d5a4 21927->21928 21929 52d5d5 LeaveCriticalSection 21927->21929 21934 53f0db 29 API calls 21928->21934 21929->21842 21931 52d5b6 21931->21929 21932->21842 21933->21927 21934->21931 22150 4cc8e0 HeapFree 22151 100274b1 10 API calls 22153 548aed 65 API calls __EH_prolog 22154 1002a472 __CxxFrameHandler 22155 10026eb8 90 API calls 22156 10026cb9 23 API calls 21935 4cc2f0 21938 4cc2d0 21935->21938 21941 4c4020 21938->21941 21940 4cc2e1 21942 4c404b 21941->21942 21943 4c40e3 21941->21943 21945 4c4073 GetProcAddress 21942->21945 21946 4c406a 21942->21946 21944 4c437c 21943->21944 21947 4c4111 21943->21947 21996 52e388 6 API calls 21943->21996 21944->21940 21951 4c40b5 21945->21951 21952 4c4093 21945->21952 21993 52e388 6 API calls 21946->21993 21959 4c424f 21947->21959 21961 4c413c 21947->21961 21995 4c4000 35 API calls 21951->21995 21994 4c43f0 70 API calls 21952->21994 21954 4c40cd 21954->21940 21955 4c4254 LoadLibraryA 21956 4c4264 GetProcAddress 21955->21956 21955->21959 21956->21959 21958 4c42aa 21958->21944 21967 4c42bf FreeLibrary 21958->21967 21968 4c42c6 21958->21968 21959->21955 21959->21958 21963 4c4296 FreeLibrary 21959->21963 21960 4c421a LoadLibraryA 21960->21958 21962 4c4227 GetProcAddress 21960->21962 21961->21960 21964 4c4168 21961->21964 21965 4c4190 21961->21965 21962->21958 21970 4c4237 21962->21970 21963->21959 21966 53fafa 32 API calls 21964->21966 21987 53fafa 21965->21987 21971 4c4174 LoadLibraryA 21966->21971 21967->21968 21975 4c432a 21968->21975 21976 4c42d7 21968->21976 21970->21958 21973 4c4184 21971->21973 21972 4c41a6 21974 53fafa 32 API calls 21972->21974 21973->21962 21973->21965 21977 4c41ba LoadLibraryA 21974->21977 21998 4c43f0 70 API calls 21975->21998 21997 4c43f0 70 API calls 21976->21997 21982 4c41ca 21977->21982 21980 4c4355 21980->21940 21981 4c4303 21981->21940 21982->21962 21983 4c4212 21982->21983 21984 53fafa 32 API calls 21982->21984 21983->21960 21983->21962 21985 4c4202 LoadLibraryA 21984->21985 21986 53f8b1 21985->21986 21986->21983 21988 53fb04 __EH_prolog 21987->21988 21989 53fb23 lstrlenA 21988->21989 21990 53fb1f 21988->21990 21989->21990 21999 53fa56 21990->21999 21992 53fb41 21992->21972 21993->21945 21994->21951 21995->21954 21996->21947 21997->21981 21998->21980 22000 53fa6a 21999->22000 22001 53fa70 21999->22001 22002 53f71e 31 API calls 22000->22002 22001->21992 22002->22001 22159 1001a595 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22215 10026dc5 30 API calls 22218 10026bd6 25 API calls 22162 100270d8 28 API calls 22163 10026cd8 22 API calls 22165 4cc690 83 API calls 22168 531eb5 32 API calls 22221 10026de4 84 API calls 22225 100291f3 ??3@YAXPAX GetProcessHeap HeapFree 22226 100293f0 ??3@YAXPAX 22171 10026ef6 75 API calls 22172 10026cf7 43 API calls 22003 4cc6b0 22006 4c60b0 22003->22006 22005 4cc6d5 22007 4c60ec 22006->22007 22008 4c60f0 22007->22008 22010 4c6102 22007->22010 22082 4c43f0 70 API calls 22008->22082 22011 4c6134 22010->22011 22012 4c62ac 22010->22012 22013 4c625f 22011->22013 22014 4c6540 22011->22014 22015 4c6211 22011->22015 22016 4c61c2 22011->22016 22017 4c6163 22011->22017 22026 4c60fd 22011->22026 22036 4c6436 22011->22036 22037 4c6344 22011->22037 22018 4c62f0 IsWindow 22012->22018 22033 4c6306 22012->22033 22024 4c6297 22013->22024 22025 4c6282 22013->22025 22013->22026 22014->22026 22049 4c65e4 22014->22049 22050 4c65d5 22014->22050 22022 4c624a 22015->22022 22023 4c6235 22015->22023 22015->22026 22020 4c61fc 22016->22020 22021 4c61e7 22016->22021 22016->22026 22083 52e4d4 29 API calls 22017->22083 22018->22033 22086 4c5fb0 51 API calls 22020->22086 22085 4c5fb0 51 API calls 22021->22085 22088 4c5fb0 51 API calls 22022->22088 22087 4c5fb0 51 API calls 22023->22087 22090 4c5fb0 51 API calls 22024->22090 22089 4c5fb0 51 API calls 22025->22089 22026->22005 22034 4c6919 22033->22034 22035 4c6332 22033->22035 22044 4c6933 22034->22044 22101 4c43f0 70 API calls 22034->22101 22035->22014 22035->22026 22035->22036 22035->22037 22036->22026 22040 4c6485 GetWindowRect 22036->22040 22037->22026 22041 4c639d GetWindowRect GetParent 22037->22041 22039 4c617d 22039->22026 22084 4c5fb0 51 API calls 22039->22084 22042 4c64c4 22040->22042 22043 4c64a6 22040->22043 22091 5412b4 66 API calls 22041->22091 22096 543c3b SetWindowPos 22042->22096 22095 543c3b SetWindowPos 22043->22095 22046 4c6bb0 22044->22046 22064 4c6a6f 22044->22064 22071 4c6968 22044->22071 22046->22071 22103 4ce0f0 70 API calls 22046->22103 22054 4c676a 22049->22054 22078 4c6609 22049->22078 22097 543c8a 22050->22097 22051 4c63c0 22055 4c63e0 22051->22055 22092 543b22 GetWindowLongA 22051->22092 22100 4c2570 87 API calls 22054->22100 22094 543bfa MoveWindow 22055->22094 22059 4c63cd 22059->22055 22093 5460ee GetWindowLongA ScreenToClient ScreenToClient 22059->22093 22060 4c6cb3 IsWindow 22060->22026 22062 4c6cbe 22060->22062 22062->22026 22066 4c6cd2 22062->22066 22065 4c6aa6 GetStockObject GetObjectA 22064->22065 22067 4c6a95 22064->22067 22065->22067 22104 4c3ae0 PeekMessageA 22066->22104 22067->22071 22102 4ce0f0 70 API calls 22067->22102 22071->22026 22071->22060 22073 4c6cff 22074 4c3ae0 67 API calls 22073->22074 22076 4c6d06 22074->22076 22075 4c6751 22075->22026 22077 543c8a ShowWindow 22075->22077 22076->22026 22077->22026 22078->22026 22078->22075 22079 4c66b4 IsWindow 22078->22079 22079->22075 22081 4c66c6 22079->22081 22080 4b47c0 SendMessageA 22080->22081 22081->22078 22081->22080 22082->22026 22083->22039 22084->22026 22085->22026 22086->22026 22087->22026 22088->22026 22089->22026 22090->22026 22091->22051 22092->22059 22093->22055 22094->22026 22095->22026 22096->22026 22098 543ca0 22097->22098 22099 543c91 ShowWindow 22097->22099 22098->22026 22099->22098 22100->22026 22101->22044 22102->22071 22103->22071 22105 4c3afd 22104->22105 22106 4c3b23 22104->22106 22105->22106 22107 54461c 65 API calls 22105->22107 22108 4c3b10 PeekMessageA 22105->22108 22109 4c3b40 105 API calls 22106->22109 22107->22105 22108->22105 22108->22106 22109->22073

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 228 4c4020-4c4045 229 4c404b-4c4056 228->229 230 4c40e3-4c40f2 228->230 231 4c4058-4c4062 229->231 232 4c4065-4c4068 229->232 233 4c439f-4c43b0 230->233 234 4c40f8-4c4108 230->234 231->232 235 4c407d 232->235 236 4c406a-4c407b call 52e388 232->236 237 4c4119-4c4136 call 4b1620 234->237 238 4c410a-4c4114 call 52e388 234->238 241 4c407f-4c4091 GetProcAddress 235->241 236->241 250 4c413c-4c414f call 52f3a0 237->250 251 4c424f 237->251 238->237 245 4c40c6-4c40e0 call 4c4000 241->245 246 4c4093-4c40c1 call 4cd7b0 call 4c43f0 call 53f8b1 241->246 246->245 264 4c421a-4c4221 LoadLibraryA 250->264 265 4c4155-4c4166 250->265 253 4c4254-4c4262 LoadLibraryA 251->253 256 4c429f-4c42a8 253->256 257 4c4264-4c4272 GetProcAddress 253->257 256->253 260 4c42aa-4c42b5 256->260 261 4c428a-4c4294 257->261 262 4c4274-4c427f 257->262 266 4c437c-4c437e 260->266 267 4c42bb-4c42bd 260->267 261->260 270 4c4296-4c429d FreeLibrary 261->270 262->261 269 4c4281-4c4287 262->269 264->260 268 4c4227-4c4235 GetProcAddress 264->268 272 4c4168-4c4186 call 53fafa LoadLibraryA call 53f8b1 265->272 273 4c4190-4c41dd call 53fafa * 2 LoadLibraryA call 53f8b1 * 2 265->273 277 4c4396-4c439c 266->277 278 4c4380-4c438b 266->278 275 4c42bf-4c42c0 FreeLibrary 267->275 276 4c42c6-4c42d5 call 4b1620 267->276 268->260 280 4c4237-4c4242 268->280 269->261 270->256 272->268 293 4c418c 272->293 273->268 308 4c41df-4c41f0 273->308 275->276 290 4c432a-4c4379 call 4cd7b0 call 4c43f0 call 53f8b1 276->290 291 4c42d7-4c4327 call 4cd7b0 call 4c43f0 call 53f8b1 276->291 277->233 278->277 283 4c438d-4c4393 278->283 280->260 285 4c4244-4c424d 280->285 283->277 285->260 293->273 311 4c4212-4c4214 308->311 312 4c41f2-4c420d call 53fafa LoadLibraryA call 53f8b1 308->312 311->268 314 4c4216 311->314 312->311 314->264
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,007E95F4), ref: 004C4087
                                                        • LoadLibraryA.KERNEL32(?,?,007F9FD8), ref: 004C4177
                                                        • LoadLibraryA.KERNEL32(?,?), ref: 004C41BD
                                                        • LoadLibraryA.KERNEL32(?,?,007F9EE0,?), ref: 004C4205
                                                        • LoadLibraryA.KERNEL32(?), ref: 004C421B
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 004C422D
                                                        • FreeLibrary.KERNEL32(00000000), ref: 004C42C0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressProc$Free
                                                        • String ID:
                                                        • API String ID: 3120990465-0
                                                        • Opcode ID: 85024bc73752be43d5b9e1f5a18eef924cdf7aa01b86ea9a9b0f9c3cd8f94b55
                                                        • Instruction ID: c838627082daf865a2f5288975a38c73a6164eba8630f2b3b15f871cc3ec409e
                                                        • Opcode Fuzzy Hash: 85024bc73752be43d5b9e1f5a18eef924cdf7aa01b86ea9a9b0f9c3cd8f94b55
                                                        • Instruction Fuzzy Hash: 59A1C079A00702ABD754DF64C895FABB3A8FFD8314F044A2EF85587341D738A905CB95

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 741 10027bb0-10027bb7 742 10027bc4-10027bd7 RtlAllocateHeap 741->742 743 10027bb9-10027bbf GetProcessHeap 741->743 744 10027bf5-10027bf8 742->744 745 10027bd9-10027bf2 MessageBoxA call 10027b10 742->745 743->742 745->744
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                        • RtlAllocateHeap.NTDLL(00980000,00000008,?,?,10028674), ref: 10027BCD
                                                        • MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocateMessageProcess
                                                        • String ID: error
                                                        • API String ID: 2992861138-1574812785
                                                        • Opcode ID: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                        • Instruction ID: 89e5899bf0a8eaacd33e9d23978464e8beef4f738102cb453b69e42e0a268b90
                                                        • Opcode Fuzzy Hash: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                        • Instruction Fuzzy Hash: 4DE0DF71A01A31ABE322EB64BC88F4B7698EF05B41F910526F608E2240EF20AC019791

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 753 100193c2-10019472 call 1002748d * 3 call 100294c0 762 10019474-1001947a call 10027487 753->762 763 1001947d-1001949e CopyFileA 753->763 762->763 765 100194a0-100194b4 call 10027499 763->765 766 100194b7-100194c3 763->766 765->766 767 100194c5 766->767 768 100194ca-100194e9 call 10028d40 766->768 767->768 774 100194f4-10019504 768->774 775 100194eb-100194f1 call 10027487 768->775 777 10019506 774->777 778 1001950b-10019525 call 10028000 774->778 775->774 777->778 782 1001952b-10019539 778->782 783 1001956e-10019586 call 1000241a 778->783 785 10019540-1001955f call 10028d40 782->785 786 1001953b 782->786 790 10019588 783->790 791 1001958d-100195b5 call 10028e50 call 10006495 783->791 792 10019561-10019567 call 10027487 785->792 793 1001956a-1001956b 785->793 786->785 790->791 800 100195d6 791->800 801 100195bb-100195c9 791->801 792->793 793->783 802 100195db-100195dd 800->802 801->800 803 100195cf-100195d4 801->803 804 100195e3-1001960c RtlAllocateHeap 802->804 805 10019832-10019840 802->805 803->802 806 10019625-10019688 call 10007b67 call 1002748d call 10008edd call 10027487 804->806 807 1001960e-10019622 call 10027499 804->807 811 10019842-10019848 call 10027487 805->811 812 1001984b-10019850 805->812 840 10019689-10019691 806->840 807->806 811->812 816 10019852-10019858 call 10027487 812->816 817 1001985b-10019882 call 10027487 * 2 812->817 816->817 829 10019895 817->829 830 10019884 817->830 833 1001989b-100198bb call 10027487 * 2 829->833 834 100198bd-100198c9 call 10027487 829->834 832 10019886-1001988a 830->832 837 10019891-10019893 832->837 838 1001988c-1001988f 832->838 833->834 837->829 838->832 841 10019822-1001982d call 100094fb 840->841 842 10019697-100196a5 call 10001000 840->842 841->805 850 100196a7-100196bb call 10027499 842->850 851 100196be-100196c2 842->851 850->851 853 100196c4-100196d8 call 10027499 851->853 854 100196db-10019736 call 10001b27 call 10001000 851->854 853->854 862 10019738-1001974c call 10027499 854->862 863 1001974f-10019753 854->863 862->863 865 10019755-10019769 call 10027499 863->865 866 1001976c-100197c7 call 10001b27 call 10001000 863->866 865->866 874 100197e0-100197e4 866->874 875 100197c9-100197dd call 10027499 866->875 877 100197e6-100197fa call 10027499 874->877 878 100197fd-1001981d call 10007b67 874->878 875->874 877->878 878->840
                                                        APIs
                                                          • Part of subcall function 100294C0: GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                          • Part of subcall function 100294C0: GetTickCount.KERNEL32 ref: 10029543
                                                          • Part of subcall function 100294C0: wsprintfA.USER32 ref: 10029558
                                                          • Part of subcall function 100294C0: PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                        • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 10019491
                                                        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000000,00000001,?,?,?,00000000), ref: 100195FF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: FilePath$AllocateCopyCountExistsHeapTempTickwsprintf
                                                        • String ID: @
                                                        • API String ID: 183890193-2766056989
                                                        • Opcode ID: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                                                        • Instruction ID: 886d6a9a19e72094fdb0421fea6300c5803c3cbfa718e8e798f15b8255d4c358
                                                        • Opcode Fuzzy Hash: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                                                        • Instruction Fuzzy Hash: 26D142B5E40209ABEB01DFD4DCC2F9EB7B4FF18704F540065F604BA282E776A9548B66

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 899 1000710e-10007271 call 1002748d * 5 GetVersionExA 910 10007273-10007287 call 10027499 899->910 911 1000728a-100072e2 call 10027ca0 899->911 910->911 916 100072f3-100072f9 911->916 917 100072e4 911->917 919 10007300-1000734b call 10027487 916->919 920 100072fb 916->920 918 100072e6-100072ea 917->918 921 100072f1 918->921 922 100072ec-100072ef 918->922 925 10007351-100073f3 call 1002748d GetSystemInfo 919->925 926 100077ad-100077b2 919->926 920->919 921->916 922->918 931 100073f5-10007409 call 10027499 925->931 932 1000740c-100074c4 call 10027487 RtlGetNtVersionNumbers 925->932 927 100077b7-100077f1 call 10027487 * 4 926->927 931->932 940 100074c6-100074da call 10027499 932->940 941 100074dd-10007520 932->941 940->941 944 10007552-10007556 941->944 945 10007526-1000752a 941->945 947 10007630-10007634 944->947 948 1000755c-10007560 944->948 950 10007530-10007534 945->950 951 1000754d 945->951 956 1000778a-1000778e 947->956 957 1000763a-1000763e 947->957 954 10007591-10007595 948->954 955 10007566-10007574 948->955 958 10007546 950->958 959 1000753a-10007541 950->959 953 100077a5-100077a8 951->953 953->927 964 100075c6-100075ca 954->964 965 1000759b-100075a9 954->965 961 10007584 955->961 962 1000757a-1000757f 955->962 956->953 963 10007794-10007798 956->963 966 10007650-10007654 957->966 967 10007644-1000764b 957->967 958->951 959->951 968 10007589-1000758c 961->968 962->968 963->953 969 1000779e 963->969 974 100075d0-100075de 964->974 975 100075fb-100075ff 964->975 970 100075b9 965->970 971 100075af-100075b4 965->971 972 10007785 966->972 973 1000765a-1000766f 966->973 967->972 977 1000762b 968->977 969->953 978 100075be-100075c1 970->978 971->978 972->953 986 10007671-10007685 call 10027499 973->986 987 10007688-1000768f 973->987 979 100075e4-100075e9 974->979 980 100075ee 974->980 976 10007605-10007613 975->976 975->977 981 10007623 976->981 982 10007619-1000761e 976->982 977->953 978->977 984 100075f3-100075f6 979->984 980->984 985 10007628 981->985 982->985 984->977 985->977 986->987 988 100076a1-100076a5 987->988 989 10007695-1000769c 987->989 991 100076c7 988->991 992 100076ab-100076ba 988->992 989->972 995 100076cc-100076ce 991->995 992->991 994 100076c0-100076c5 992->994 994->995 996 100076e0-1000771d call 10028950 995->996 997 100076d4-100076db 995->997 1000 10007723-1000772a 996->1000 1001 1000772f-1000776c call 10028950 996->1001 997->972 1000->972 1004 10007772-10007779 1001->1004 1005 1000777e 1001->1005 1004->972 1005->972
                                                        APIs
                                                        • GetVersionExA.KERNEL32(00000000,10006DE0), ref: 10007264
                                                        • GetSystemInfo.KERNEL32(00000000,?), ref: 100073E6
                                                        • RtlGetNtVersionNumbers.NTDLL(?,?,00000000), ref: 100074B7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Version$InfoNumbersSystem
                                                        • String ID:
                                                        • API String ID: 995872648-0
                                                        • Opcode ID: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                        • Instruction ID: 6910099e4755c4c9484fada616f008788a9246664730439cfdd765e490be93a4
                                                        • Opcode Fuzzy Hash: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                        • Instruction Fuzzy Hash: 001225B5E40246DBFB00CFA8DC81799B7F0FF19364F290065E909AB345E379A951CB62

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1006 10007fdd-1000801e call 100280c0 1009 10008020-10008026 call 10027487 1006->1009 1010 10008029-10008059 call 1000241a call 10007db8 1006->1010 1009->1010 1017 10008098-1000809d 1010->1017 1018 1000805f-10008063 1010->1018 1020 100080a8-100080ab 1017->1020 1021 1000809f-100080a5 call 10027487 1017->1021 1018->1017 1019 10008069-1000806c 1018->1019 1023 10008075-1000807c 1019->1023 1021->1020 1025 10008095 1023->1025 1026 1000807e-10008092 call 10027499 1023->1026 1025->1017 1026->1025
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Close
                                                        • String ID: `+Tw
                                                        • API String ID: 3535843008-1053621713
                                                        • Opcode ID: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                        • Instruction ID: f7734d6dfd281f4cec539f69a8a4743609fe5589cfe20e3980177d77de103c32
                                                        • Opcode Fuzzy Hash: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                        • Instruction Fuzzy Hash: 92112EB5D40308BBEB50DFE0DC86B9DBBB8EF05340F108069E6447A281D7B66B588B91

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1029 10018ad3-10018b21 call 10018eea * 2 HeapCreate 1035 10018b23-10018b37 call 10027499 1029->1035 1036 10018b3a-10018b5e HeapCreate 1029->1036 1035->1036 1038 10018b60-10018b74 call 10027499 1036->1038 1039 10018b77-10018b8e call 10001000 1036->1039 1038->1039 1045 10018b90-10018ba4 call 10027499 1039->1045 1046 10018ba7-10018bc8 call 1000188f 1039->1046 1045->1046 1051 10018bd3-10018be4 call 1000b61e 1046->1051 1052 10018bca-10018bd0 call 10027487 1046->1052 1057 10018be6-10018bec call 10027487 1051->1057 1058 10018bef-10018c09 call 10001000 1051->1058 1052->1051 1057->1058 1063 10018c22-10018c43 call 1000188f 1058->1063 1064 10018c0b-10018c1f call 10027499 1058->1064 1069 10018c45-10018c4b call 10027487 1063->1069 1070 10018c4e-10018c5f call 1000b61e 1063->1070 1064->1063 1069->1070 1075 10018c61-10018c67 call 10027487 1070->1075 1076 10018c6a-10018c84 call 10001000 1070->1076 1075->1076 1081 10018c86-10018c9a call 10027499 1076->1081 1082 10018c9d-10018cbe call 1000188f 1076->1082 1081->1082 1087 10018cc0-10018cc6 call 10027487 1082->1087 1088 10018cc9-10018cda call 1000b61e 1082->1088 1087->1088 1093 10018ce5-10018cff call 10001000 1088->1093 1094 10018cdc-10018ce2 call 10027487 1088->1094 1099 10018d01-10018d15 call 10027499 1093->1099 1100 10018d18-10018d39 call 1000188f 1093->1100 1094->1093 1099->1100 1105 10018d44-10018d55 call 1000b61e 1100->1105 1106 10018d3b-10018d41 call 10027487 1100->1106 1111 10018d60-10018d7a call 10001000 1105->1111 1112 10018d57-10018d5d call 10027487 1105->1112 1106->1105 1117 10018d93-10018db4 call 1000188f 1111->1117 1118 10018d7c-10018d90 call 10027499 1111->1118 1112->1111 1123 10018db6-10018dbc call 10027487 1117->1123 1124 10018dbf-10018dd0 call 1000b61e 1117->1124 1118->1117 1123->1124 1129 10018dd2-10018dd8 call 10027487 1124->1129 1130 10018ddb-10018e4b call 10006453 call 1000710e call 10018f34 call 100191e3 call 10019edc call 1000ff10 call 100114f9 1124->1130 1129->1130 1147 10018e56-10018ea3 call 10019edc call 1000ff10 call 100114f9 1130->1147 1148 10018e4d-10018e53 call 10027487 1130->1148 1157 10018ea5-10018eab call 10027487 1147->1157 1158 10018eae-10018ec2 call 10019f4c 1147->1158 1148->1147 1157->1158 1162 10018ec7-10018ee9 call 1001a236 1158->1162
                                                        APIs
                                                          • Part of subcall function 10018EEA: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                        • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 10018B14
                                                        • HeapCreate.KERNEL32(00040000,00000000,00000000), ref: 10018B51
                                                          • Part of subcall function 1000FF10: RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Create$Heap$ComputeCrc32Mutex
                                                        • String ID:
                                                        • API String ID: 3311811139-0
                                                        • Opcode ID: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                        • Instruction ID: 66fc46a93c8d8d126791b072413d70454ec7258938680aadaad6e332e46fbde2
                                                        • Opcode Fuzzy Hash: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                        • Instruction Fuzzy Hash: B8B10CB5E00309ABEB10EFE4DCC2B9E77B8FB14340F504465E618EB246E775AB448B52
                                                        APIs
                                                        • LdrInitializeThunk.NTDLL(-0000007F), ref: 10004BAD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                        • Instruction ID: 7f13cb2829284cec5adb7bd0b88e9c5a5f53f04c1fb2448feb0c9f08ba257be5
                                                        • Opcode Fuzzy Hash: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                        • Instruction Fuzzy Hash: 0111C4B1600645DBFB20DF18C894B5973A5EB413D9F128336E806CB2E8CB78DD85C789
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D511,00000000), ref: 1001A1FA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                        • Instruction ID: 8b03ad6f155dc1ffa3c952e4c0ec4cfc85cd69f7d418c3f1b48ca094e25b3ce2
                                                        • Opcode Fuzzy Hash: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                        • Instruction Fuzzy Hash: EF012975D04319A7DB00EFD49C82F9E77B9EB05340F404066E50466151D775DB949B92
                                                        APIs
                                                        • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: CreateMutex
                                                        • String ID:
                                                        • API String ID: 1964310414-0
                                                        • Opcode ID: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                        • Instruction ID: b5123a5caac3b4bfff5d25017b882f5dc189a7960400f6af0356bf2a3b5a090f
                                                        • Opcode Fuzzy Hash: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                        • Instruction Fuzzy Hash: 49E01270E95308F7E120AA505D03B29B635D70AB11F609055BE083E1C1D5B19A156696
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: eff86b3369604c168ca94e5b018aeef39f44ef7b9592c514a0c6e698817bcc87
                                                        • Instruction ID: d997229761de131e08a559b29ed41666ee65bf73282d50bbff6bb74cd0886000
                                                        • Opcode Fuzzy Hash: eff86b3369604c168ca94e5b018aeef39f44ef7b9592c514a0c6e698817bcc87
                                                        • Instruction Fuzzy Hash: 3B313970900A0DEBCF00DF95E1C5A9DBB70FF49300F61C0D1E9A46A259CB369A34DB66

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 317 549410-54942d EnterCriticalSection 318 54943c-549441 317->318 319 54942f-549436 317->319 321 549443-549446 318->321 322 54945e-549467 318->322 319->318 320 5494f5-5494f8 319->320 323 549500-549521 LeaveCriticalSection 320->323 324 5494fa-5494fd 320->324 325 549449-54944c 321->325 326 54947c-549498 GlobalHandle GlobalUnlock GlobalReAlloc 322->326 327 549469-54947a GlobalAlloc 322->327 324->323 328 549456-549458 325->328 329 54944e-549454 325->329 330 54949e-5494aa 326->330 327->330 328->320 328->322 329->325 329->328 331 5494c7-5494f4 GlobalLock call 531020 330->331 332 5494ac-5494c2 GlobalHandle GlobalLock LeaveCriticalSection call 53d901 330->332 331->320 332->331
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(00828AA0,00828A74,00000000,?,00828A84,00828A84,005497AB,?,00000000,005491FE,00548AED,0054921A,00544621,005458C6,?,00000000), ref: 0054941F
                                                        • GlobalAlloc.KERNEL32(00002002,00000000,?,?,00828A84,00828A84,005497AB,?,00000000,005491FE,00548AED,0054921A,00544621,005458C6,?,00000000), ref: 00549474
                                                        • GlobalHandle.KERNEL32(00992788), ref: 0054947D
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00549486
                                                        • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00549498
                                                        • GlobalHandle.KERNEL32(00992788), ref: 005494AF
                                                        • GlobalLock.KERNEL32(00000000), ref: 005494B6
                                                        • LeaveCriticalSection.KERNEL32(0052D7D8,?,?,00828A84,00828A84,005497AB,?,00000000,005491FE,00548AED,0054921A,00544621,005458C6,?,00000000), ref: 005494BC
                                                        • GlobalLock.KERNEL32(00000000), ref: 005494CB
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 00549514
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                        • String ID:
                                                        • API String ID: 2667261700-0
                                                        • Opcode ID: ad25314e3ab3a8c0cbd963cee62433216bdfd4a3f84765b6980d9fd789afd86f
                                                        • Instruction ID: 53e9ce612839a117e337449bba78e3c70638cbec2c790d547ca72150bc8ce824
                                                        • Opcode Fuzzy Hash: ad25314e3ab3a8c0cbd963cee62433216bdfd4a3f84765b6980d9fd789afd86f
                                                        • Instruction Fuzzy Hash: 923165752007069FDB249F68DC9AA6B7BE9FF44305F014A2DF856C3661D771E849CB10

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 470 100294c0-100294cf 471 100294d1-100294e3 GetTempPathA 470->471 472 100294eb-10029511 470->472 473 10029513-1002952c 471->473 474 100294e5-100294e9 471->474 472->473 475 10029531-1002953d 473->475 476 1002952e 473->476 474->473 477 10029543-10029569 GetTickCount wsprintfA PathFileExistsA 475->477 476->475 477->477 478 1002956b-100295b3 call 10027bb0 477->478
                                                        APIs
                                                        • GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                        • GetTickCount.KERNEL32 ref: 10029543
                                                        • wsprintfA.USER32 ref: 10029558
                                                        • PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Path$CountExistsFileTempTickwsprintf
                                                        • String ID: %s%x.tmp
                                                        • API String ID: 3843276195-78920241
                                                        • Opcode ID: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                        • Instruction ID: 19c0f5fbbc49b21063d5a4c1e69b6cb6cd736cc94922c53957f775166a9e82b6
                                                        • Opcode Fuzzy Hash: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                        • Instruction Fuzzy Hash: 9521F6352046144FE329D638AC526EB77D5FBC4360F948A2DF9AA831C0DF74DD058791

                                                        Control-flow Graph

                                                        APIs
                                                        • CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000,00000000,100149DF,00000001,00000000,00000000,80000004,00000000,00000000,00000000), ref: 10028D55
                                                        • GetFileSize.KERNEL32(00000000,?,1002C201,00000268,?,00000000,00000000,00000000,00000000), ref: 10028D6C
                                                          • Part of subcall function 10027BB0: GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                          • Part of subcall function 10027BB0: RtlAllocateHeap.NTDLL(00980000,00000008,?,?,10028674), ref: 10027BCD
                                                          • Part of subcall function 10027BB0: MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                        • ReadFile.KERNEL32(00000000,00000008,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D98
                                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D9F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: File$Heap$AllocateCloseCreateHandleMessageProcessReadSize
                                                        • String ID:
                                                        • API String ID: 749537981-0
                                                        • Opcode ID: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                        • Instruction ID: 3e7a6e3e6917c5c906f0044d82f650070526e8034b550c75b50b94cd4b2286ca
                                                        • Opcode Fuzzy Hash: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                        • Instruction Fuzzy Hash: 31F044762003107BE3218B64DCC9F9B77ACEB84B51F204A1DF616961D0E670A5458761

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 884 544631-54463a call 5491ef 887 54463c-544667 call 548fb8 GetCurrentThreadId SetWindowsHookExA call 54980c 884->887 888 54468f 884->888 892 54466c-544672 887->892 893 544674-544679 call 5491ef 892->893 894 54467f-54468e call 549777 892->894 893->894 894->888
                                                        APIs
                                                        • GetCurrentThreadId.KERNEL32 ref: 00544644
                                                        • SetWindowsHookExA.USER32(000000FF,V`H,00000000,00000000), ref: 00544654
                                                          • Part of subcall function 0054980C: __EH_prolog.LIBCMT ref: 00549811
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: CurrentH_prologHookThreadWindows
                                                        • String ID: V`H
                                                        • API String ID: 2183259885-1425837005
                                                        • Opcode ID: 15d8a5ef623d8784ea92b3510a4e55f0f4dab0f796e01b6461698236c593e94b
                                                        • Instruction ID: ce4c10ce4f1fde015653ad3c903fdbeacdb3969411db0e93e2fecd0e6ffa25ff
                                                        • Opcode Fuzzy Hash: 15d8a5ef623d8784ea92b3510a4e55f0f4dab0f796e01b6461698236c593e94b
                                                        • Instruction Fuzzy Hash: DDF0A031891311AFCF602BB0E80FBEA7E54BB81729F45125CF552A61E1DE6048848B51

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1167 54a040-54a06b SetErrorMode * 2 call 5491ef * 2 1172 54a08c-54a096 call 5491ef 1167->1172 1173 54a06d-54a087 call 54a0a3 1167->1173 1177 54a09d-54a0a0 1172->1177 1178 54a098 call 544631 1172->1178 1173->1172 1178->1177
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000000,00000000,005458E5,00000000,00000000,00000000,00000000,?,00000000,?,0053D073,00000000,00000000,00000000,00000000,0052D7D8), ref: 0054A049
                                                        • SetErrorMode.KERNEL32(00000000,?,00000000,?,0053D073,00000000,00000000,00000000,00000000,0052D7D8,00000000), ref: 0054A050
                                                          • Part of subcall function 0054A0A3: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A0D4
                                                          • Part of subcall function 0054A0A3: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A175
                                                          • Part of subcall function 0054A0A3: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A1A2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
                                                        • String ID:
                                                        • API String ID: 3389432936-0
                                                        • Opcode ID: f5cc11b3060c09880d13a835071dac1ff441f947291634e4d0d4758776c38180
                                                        • Instruction ID: 188b5d5e8e1fe35dd59b7982f089a1208d62352469dd32f557762db68908edfc
                                                        • Opcode Fuzzy Hash: f5cc11b3060c09880d13a835071dac1ff441f947291634e4d0d4758776c38180
                                                        • Instruction Fuzzy Hash: 88F03775A842128FDB54AF24D449A8A7FA8BF84714F05848EB8489B3A2CB74D840CF96

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1180 4c3ae0-4c3afb PeekMessageA 1181 4c3afd-4c3b02 1180->1181 1182 4c3b23-4c3b27 1180->1182 1181->1182 1183 4c3b04-4c3b21 call 54461c PeekMessageA 1181->1183 1183->1181 1183->1182
                                                        APIs
                                                        • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004C3AF7
                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004C3B1D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: MessagePeek
                                                        • String ID:
                                                        • API String ID: 2222842502-0
                                                        • Opcode ID: d5d2506b950605fd47a43454618ffe8a54ad3c91368ebf1fb006fd2e3387a302
                                                        • Instruction ID: 549516e6bee9550d6c28109cdb640dbf344df1ff570d04f4577fde9d5c346bc4
                                                        • Opcode Fuzzy Hash: d5d2506b950605fd47a43454618ffe8a54ad3c91368ebf1fb006fd2e3387a302
                                                        • Instruction Fuzzy Hash: 38F09B35B40312BBFB20EAA48C07F6B37986F44B01F54445AF7419B1D1E6B4F504CBA9
                                                        APIs
                                                        • HeapCreate.KERNEL32(00000000,00001000,00000000,0052D756,00000001), ref: 00533789
                                                          • Part of subcall function 00533630: GetVersionExA.KERNEL32 ref: 0053364F
                                                        • HeapDestroy.KERNEL32 ref: 005337C8
                                                          • Part of subcall function 00537045: HeapAlloc.KERNEL32(00000000,00000140,005337B1,000003F8), ref: 00537052
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocCreateDestroyVersion
                                                        • String ID:
                                                        • API String ID: 2507506473-0
                                                        • Opcode ID: a74c570746986a0d0ea47059bd758b4a4c67e8f0631b46f34643c4d50467435d
                                                        • Instruction ID: 436b11923727e9549315da22d288eca00aceb1011756a23ab154c99fd471797b
                                                        • Opcode Fuzzy Hash: a74c570746986a0d0ea47059bd758b4a4c67e8f0631b46f34643c4d50467435d
                                                        • Instruction Fuzzy Hash: 41F065F0655302AEEB706B70AC4A7393FE0FB84B52F204835F400C45B5EA608785DA01
                                                        APIs
                                                        • IsBadReadPtr.KERNEL32(00000000,00000008), ref: 10027C6E
                                                        • RtlFreeHeap.NTDLL(00980000,00000000,00000000), ref: 10027C80
                                                          • Part of subcall function 10027AE0: GetModuleHandleA.KERNEL32(10000000,10027CB6,?,?,00000000,10013438,00000004,1002D4C1,00000000,00000000,?,00000014,00000000,00000000), ref: 10027AEA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: FreeHandleHeapModuleRead
                                                        • String ID:
                                                        • API String ID: 627478288-0
                                                        • Opcode ID: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                        • Instruction ID: 59851536013e0aac3578df5bad16e171669d5e3b00cd7f1de4e20f90094f5fd3
                                                        • Opcode Fuzzy Hash: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                        • Instruction Fuzzy Hash: 46E0ED71A0153297EB21FB34ADC4A4B769CFB417C0BB1402AF548B3151D330AC818BA2
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0052F11C
                                                          • Part of subcall function 00535E34: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0052FF4C,00000009,00000000,00000000,00000001,005335C1,00000001,00000074,?,?,00000000,00000001), ref: 00535E71
                                                          • Part of subcall function 00535E34: EnterCriticalSection.KERNEL32(?,?,?,0052FF4C,00000009,00000000,00000000,00000001,005335C1,00000001,00000074,?,?,00000000,00000001), ref: 00535E8C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$AllocateEnterHeapInitialize
                                                        • String ID:
                                                        • API String ID: 1616793339-0
                                                        • Opcode ID: 13d1776afa5f12be5ee3715adac4af9234b4447746f83b7395a2fc1db7bbc90f
                                                        • Instruction ID: 7199248a12a6cf82eb1af24f2ab9af2755dd37cfe2b98d853d65e0f2b04fea4d
                                                        • Opcode Fuzzy Hash: 13d1776afa5f12be5ee3715adac4af9234b4447746f83b7395a2fc1db7bbc90f
                                                        • Instruction Fuzzy Hash: 74216072A00265EBDB20DB65FC4AB9E7B74BF02B20F244539F811EB1C1D6749941DB54
                                                        APIs
                                                        • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,0052FF4C,00000009,00000000,00000000,00000001,005335C1,00000001,00000074), ref: 0052EFE2
                                                          • Part of subcall function 00535E34: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0052FF4C,00000009,00000000,00000000,00000001,005335C1,00000001,00000074,?,?,00000000,00000001), ref: 00535E71
                                                          • Part of subcall function 00535E34: EnterCriticalSection.KERNEL32(?,?,?,0052FF4C,00000009,00000000,00000000,00000001,005335C1,00000001,00000074,?,?,00000000,00000001), ref: 00535E8C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterFreeHeapInitialize
                                                        • String ID:
                                                        • API String ID: 641406236-0
                                                        • Opcode ID: 344201eb90bba04c0db412ba41cde0b17f8c3e97b6b073196274d8a04a6716e2
                                                        • Instruction ID: 6b2a2f7a0a4882739065feda01e4419bac96473d30e33cf75b3221229cdabaa9
                                                        • Opcode Fuzzy Hash: 344201eb90bba04c0db412ba41cde0b17f8c3e97b6b073196274d8a04a6716e2
                                                        • Instruction Fuzzy Hash: D2219272C0561AAADF21AB94ED0BBAEBF78FF05720F240229F410B61D0D7749941DBA1
                                                        APIs
                                                        • LoadStringA.USER32(?,?,?,?), ref: 005451B8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: LoadString
                                                        • String ID:
                                                        • API String ID: 2948472770-0
                                                        • Opcode ID: e00ba2af5c0ab2ebee51c7ba3a58208dc53a8c205b24856cabd4796f089c07ce
                                                        • Instruction ID: 3205bcf6ada461b04f27a636879d6f3c113a41d2d57550d41bb3619f785f2c60
                                                        • Opcode Fuzzy Hash: e00ba2af5c0ab2ebee51c7ba3a58208dc53a8c205b24856cabd4796f089c07ce
                                                        • Instruction Fuzzy Hash: 7BD0A7721083629BCB12DF508808DCFBFA8BF54321B040C0DF88443111D320C404CB61
                                                        APIs
                                                        • ShowWindow.USER32(?,?,004C064C,00000000), ref: 00543C98
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: ShowWindow
                                                        • String ID:
                                                        • API String ID: 1268545403-0
                                                        • Opcode ID: ffc18a60ec64a25ffe576df6f9df42f32a41d4df3b93da3696965e1d8b0a479c
                                                        • Instruction ID: f0a6913aaba4f4cd7a5797eb91c1e2fe5e7be7c40ecdc7b22ac4f8dd38869419
                                                        • Opcode Fuzzy Hash: ffc18a60ec64a25ffe576df6f9df42f32a41d4df3b93da3696965e1d8b0a479c
                                                        • Instruction Fuzzy Hash: 6AD09231214200EFCF059F61CA88B5ABBA2BF94709B609968E5469A165D732DD12EB41
                                                        APIs
                                                        • DeleteFileA.KERNEL32(00000000,10015A7E,00000001,10014425,00000000,80000004), ref: 10028E55
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: DeleteFile
                                                        • String ID:
                                                        • API String ID: 4033686569-0
                                                        • Opcode ID: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                        • Instruction ID: ffbd99c73049c44a809e906c9e813abd6042298cab9f2baa300a0a2bd65e465f
                                                        • Opcode Fuzzy Hash: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                        • Instruction Fuzzy Hash: 5EA00275904611EBDE11DBA4C9DC84B7BACAB84341B108844F155C2130C634D451CB21
                                                        APIs
                                                        • IsWindow.USER32(00000000), ref: 1001F57C
                                                        • IsIconic.USER32(00000000), ref: 1001F86F
                                                        • GetDCEx.USER32(00000000,00000000,00000020,?,?,?,?,-00000004), ref: 1001F8D4
                                                        • GetDCEx.USER32(00000000,00000000,00000020,?,?,?,?,-00000004), ref: 1001FE93
                                                        • GetWindowInfo.USER32(00000000,00000000), ref: 1001FFE2
                                                        • GetWindowRect.USER32(00000000,?), ref: 100201EB
                                                        • CreateCompatibleDC.GDI32(00000000), ref: 100205D5
                                                        • CreateDIBSection.GDI32(00000000,00000000,00000000,00000000), ref: 100206C0
                                                        • SelectObject.GDI32(00000000,00000000), ref: 10020798
                                                        • CreateCompatibleDC.GDI32(00000000), ref: 100207D7
                                                        • SelectObject.GDI32(00000000,00000000), ref: 1002086C
                                                        • PrintWindow.USER32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,-00000004), ref: 100208A9
                                                        • BitBlt.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00CC0020), ref: 1002091B
                                                        • SelectObject.GDI32(00000000,00000000), ref: 10020ADE
                                                        • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 10020CB4
                                                          • Part of subcall function 10028090: _CIfmod.MSVCRT(?,?,?,1000197A,00000002,?,?,80000601,00000000,40140000,80000601,00000000,00000000,00000001), ref: 100280A8
                                                          • Part of subcall function 10002461: HeapAlloc.KERNEL32(00000008,?,?,10026C94), ref: 1000247B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Window$CreateObjectSelect$Compatible$AllocBitsHeapIconicIfmodInfoPrintRectSection
                                                        • String ID:
                                                        • API String ID: 3140154463-0
                                                        • Opcode ID: 88eda80100b7a025ec30ab416d140f093013ab73758d7af4ff83b5959809b2a7
                                                        • Instruction ID: ea048d8ca86424f245eedfb131be0975fd1a5b6ab4dedd9bad29979357843bcf
                                                        • Opcode Fuzzy Hash: 88eda80100b7a025ec30ab416d140f093013ab73758d7af4ff83b5959809b2a7
                                                        • Instruction Fuzzy Hash: CB13F3B0A40329DBEF20CF54DCC1B99BBB1FF19314F5440A4E648AB241D775AAA4DF25
                                                        APIs
                                                        • PathFindFileNameA.SHLWAPI(00000000), ref: 100143A7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: FileFindNamePath
                                                        • String ID:
                                                        • API String ID: 1422272338-0
                                                        • Opcode ID: 0e6eff065a05a2f384f771e1e98f391994859e5652061184b7ca416d9ae97ae4
                                                        • Instruction ID: 6aa6a69dd7cd03d5bb48bed33b8f4d969fd18b6c87b19858859c797241170964
                                                        • Opcode Fuzzy Hash: 0e6eff065a05a2f384f771e1e98f391994859e5652061184b7ca416d9ae97ae4
                                                        • Instruction Fuzzy Hash: 6A8276B5E40309ABEB10DFD0DC82F9E77B4EF14741F550025F608BE291EBB2AA558B52
                                                        APIs
                                                        • IsIconic.USER32(?), ref: 004CBFCC
                                                        • IsZoomed.USER32(?), ref: 004CBFDA
                                                        • LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 004CC004
                                                        • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004CC017
                                                        • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004CC025
                                                        • FreeLibrary.KERNEL32(00000000), ref: 004CC05B
                                                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004CC071
                                                        • IsWindow.USER32(?), ref: 004CC09E
                                                        • ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 004CC0AB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
                                                        • String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
                                                        • API String ID: 447426925-661446951
                                                        • Opcode ID: 8b34f5fbba60183606cc67ad269d2bff897997b10f0a45e32e74d7b78f754ff6
                                                        • Instruction ID: 8f59d3ea329ccbef569b13d5a2e219825e78f0e85dcc19b69b40bfeef4af95d8
                                                        • Opcode Fuzzy Hash: 8b34f5fbba60183606cc67ad269d2bff897997b10f0a45e32e74d7b78f754ff6
                                                        • Instruction Fuzzy Hash: 66316D75300302AFDB509FA1CC99F2B77A8EF94B02F04451DFA05A7290DB78DD098BA5
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D459,?), ref: 1000C917
                                                        • InterlockedExchange.KERNEL32(1002D45D,?), ref: 1000C9CE
                                                        • InterlockedExchange.KERNEL32(1002D461,?), ref: 1000CA85
                                                        • InterlockedExchange.KERNEL32(1002D465,?), ref: 1000CB3C
                                                        • InterlockedExchange.KERNEL32(1002D469,?), ref: 1000CBF3
                                                        • InterlockedExchange.KERNEL32(1002D455,?), ref: 1000CCAA
                                                          • Part of subcall function 10001D56: IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                                                        • GetWindowThreadProcessId.USER32(1000C613,00000000), ref: 1000CCFD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked$CodeProcessThreadWindow
                                                        • String ID:
                                                        • API String ID: 1323220708-0
                                                        • Opcode ID: a57e3a7ebe96e369419e08ba99744fb8776840faf4a81f30f508d6abc0fe4111
                                                        • Instruction ID: 2b64659c084c5c153bef61b4d063f84a8c6e811bd728d09e8d095ab07dd3c45c
                                                        • Opcode Fuzzy Hash: a57e3a7ebe96e369419e08ba99744fb8776840faf4a81f30f508d6abc0fe4111
                                                        • Instruction Fuzzy Hash: AF5308B5E00348ABEF11DFD4DC82FADBBB5EF08344F540029FA04BA296D7B669548B15
                                                        APIs
                                                        • GetWindowRect.USER32(00000001,00000001), ref: 1002140D
                                                        • GetDCEx.USER32(00000000,00000000,00000020,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 100218AD
                                                        • CreateCompatibleDC.GDI32(00000000), ref: 100218DC
                                                        • SelectObject.GDI32(00000000,00000000), ref: 1002195D
                                                        • PrintWindow.USER32(00000001,00000000,00000000), ref: 10021994
                                                        • GetObjectA.GDI32(00000000,00000018,00000000), ref: 10021A33
                                                        • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 10021CA1
                                                        • SelectObject.GDI32(00000000,00000000), ref: 100220CA
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 10022153
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Object$SelectWindow$BitsCompatibleCreatePrintRectRelease
                                                        • String ID:
                                                        • API String ID: 2343085801-0
                                                        • Opcode ID: 63133bb0db85fb87063aa834a4ef367d52919f1049c1e49f4a6d5bd8347d4e59
                                                        • Instruction ID: af8189180e66b16a91b6480abd6d1d91958fea63da9546105489bf86ff406ccc
                                                        • Opcode Fuzzy Hash: 63133bb0db85fb87063aa834a4ef367d52919f1049c1e49f4a6d5bd8347d4e59
                                                        • Instruction Fuzzy Hash: A7A2BCB4E40359ABEF10CF94DC81B9DBBB1FF09304F604064EA09AB295D3B56965CB26
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f3c3d578e7a0b00efe87b03bc052e9acbe489039d54a352cccf99e25944f5682
                                                        • Instruction ID: f651f1bb2101c34fc63ecdb3c6d84fc346aa7901d0e46e70a26dfbdc5c0b4c1c
                                                        • Opcode Fuzzy Hash: f3c3d578e7a0b00efe87b03bc052e9acbe489039d54a352cccf99e25944f5682
                                                        • Instruction Fuzzy Hash: 7062D2796043418BC764DF28C890F6BB3E5AF84318F15892EF98A97351DB38EC05CB5A
                                                        APIs
                                                        • GetVersionExA.KERNEL32 ref: 0053364F
                                                        • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00533684
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 005336E4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: EnvironmentFileModuleNameVariableVersion
                                                        • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                        • API String ID: 1385375860-4131005785
                                                        • Opcode ID: b607b6ef8efe049945f403024f125693ff9173641362d9219b2631418e714a53
                                                        • Instruction ID: 4dfd56f8853c037a5b2d345562e560861c3106079beb8ae4064598f65af0b585
                                                        • Opcode Fuzzy Hash: b607b6ef8efe049945f403024f125693ff9173641362d9219b2631418e714a53
                                                        • Instruction Fuzzy Hash: 93314BF19052587DEB3187706C9ABED3F68FB16704F2404E9D185D6182E6309FCACB21
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ?$\$\REGISTRY\MACHINE$\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT$\REGISTRY\USER$_Classes
                                                        • API String ID: 0-1655980394
                                                        • Opcode ID: e22ae917082b87936fa41f08c48656746adfa22af9818a3601b39729e2dc5093
                                                        • Instruction ID: cfee4882955295f256346ab5d35a508912345f973a0f1410f6445f43bbb6ad63
                                                        • Opcode Fuzzy Hash: e22ae917082b87936fa41f08c48656746adfa22af9818a3601b39729e2dc5093
                                                        • Instruction Fuzzy Hash: 379124B5E00209EFDF40DFD4DD85BAE7BB8FF18240F604429E60DAA241D7759B849B62
                                                        APIs
                                                        • UnmapViewOfFile.KERNEL32(00000000,00000000,00000000,?,00000018,00000000,00000000,00000000,00000000,00000000,00000018,00000000,00000000,00000000,00000000,00000000), ref: 100226B0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: FileUnmapView
                                                        • String ID:
                                                        • API String ID: 2564024751-0
                                                        • Opcode ID: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                        • Instruction ID: aca3888e1ced534dfb8bff30dc6f5772290e13aa398f14ea119e8b9ebb5f1563
                                                        • Opcode Fuzzy Hash: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                        • Instruction Fuzzy Hash: CED1AF75D40209FBEF219FE0EC46BDDBAB1EB09714F608115F6203A2E0C7B62A549F59
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 1001A976
                                                        • SelectObject.GDI32(00000000,00000000), ref: 1001A9E8
                                                        • SelectObject.GDI32(00000000,00000000), ref: 1001ABA2
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 1001ABFD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ObjectSelect$Release
                                                        • String ID:
                                                        • API String ID: 3581861777-0
                                                        • Opcode ID: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                        • Instruction ID: 0a28f281d22c81f76b667070ee8f4b39c3514b9b46e69f88ae8cd14bf3a1b365
                                                        • Opcode Fuzzy Hash: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                        • Instruction Fuzzy Hash: 2B9116B0D40309EBDF01EF81DC86BAEBBB1EB0A715F005015F6187A290D3B69691CF96
                                                        APIs
                                                        • GetWindow.USER32(?,00000005), ref: 1001A773
                                                        • IsWindowVisible.USER32(00000000), ref: 1001A7AC
                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 1001A7E9
                                                        • GetWindow.USER32(00000000,00000002), ref: 1001A872
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Window$ProcessThreadVisible
                                                        • String ID:
                                                        • API String ID: 569392824-0
                                                        • Opcode ID: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                        • Instruction ID: 356be4359fdaef5b37944779847d5b641f80ef076249e3ad3302764c89b6051f
                                                        • Opcode Fuzzy Hash: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                        • Instruction Fuzzy Hash: 284105B4D40219EBEB40EF90DC87BAEFBB0FB06711F105065E5097E190E7B19A90CB96
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Close
                                                        • String ID: ($`+Tw
                                                        • API String ID: 3535843008-1911852529
                                                        • Opcode ID: 7a332dac4401a920269cba03dc06d0fc5b09a4c31d79a57ea6b303e349c4f0f0
                                                        • Instruction ID: acc8f56f01466ae78c1c2cfb7f14f5a9cb3254fd2462285b483ece6b545600e1
                                                        • Opcode Fuzzy Hash: 7a332dac4401a920269cba03dc06d0fc5b09a4c31d79a57ea6b303e349c4f0f0
                                                        • Instruction Fuzzy Hash: 41220CB5D00219ABEF00DFE4ECC1BAEB775FF18340F504028FA15BA256D776A9608B61
                                                        APIs
                                                        • SystemParametersInfoA.USER32(00000059,00000000,00000000,00000000), ref: 100156E3
                                                        • SystemParametersInfoA.USER32(0000005A,00000000,00000000,00000002), ref: 100158B9
                                                        • UnloadKeyboardLayout.USER32(00000000), ref: 100159A5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: InfoParametersSystem$KeyboardLayoutUnload
                                                        • String ID:
                                                        • API String ID: 1487128349-0
                                                        • Opcode ID: 0226bddf635d607848fcc8a3ce1956f1dfd2ff90d5e67fe2f9c10deefa186aa5
                                                        • Instruction ID: 050fea7ffa1bc3994f10f6bed9b27e470259e4e1db6febdaadab7ec0439d0979
                                                        • Opcode Fuzzy Hash: 0226bddf635d607848fcc8a3ce1956f1dfd2ff90d5e67fe2f9c10deefa186aa5
                                                        • Instruction Fuzzy Hash: 224245B5E40305EBEB00DF94DCC2FAE77A4EF18355F540025E605BF286E776AA448B62
                                                        APIs
                                                        • ReleaseMutex.KERNEL32(?,?,10026B6B), ref: 100141AB
                                                        • NtClose.NTDLL(?), ref: 100141D7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: CloseMutexRelease
                                                        • String ID: `+Tw
                                                        • API String ID: 2985832019-1053621713
                                                        • Opcode ID: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                        • Instruction ID: 38ac61447b851c898caa1bdb063a432cf123be9b48bf26603be34453f4d11833
                                                        • Opcode Fuzzy Hash: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                        • Instruction Fuzzy Hash: 69F08CB0E41308F7DA00AF50DC03B7DBA30EB16751F105021FA087E0A0DBB29A659A9A
                                                        APIs
                                                        • lstrlen.KERNEL32(00000000,FFFFFFFF,00000000,?,00000000,00000000,00000001,FFFFFFFF,00000000,?,FFFFFFFF,00000000,?,FFFFFFFF,00000000), ref: 10019B06
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: lstrlen
                                                        • String ID: Z$w
                                                        • API String ID: 1659193697-2716038989
                                                        • Opcode ID: 14b0ca790eb9ae8847579f1349c02be75ec1f05ac398c4f3cad0be9f6ca5cf29
                                                        • Instruction ID: 282b89e6495933af6440fbbb597b1de90ef5dffa39cee2d72f7ed257570ffe54
                                                        • Opcode Fuzzy Hash: 14b0ca790eb9ae8847579f1349c02be75ec1f05ac398c4f3cad0be9f6ca5cf29
                                                        • Instruction Fuzzy Hash: 550202B0D0061CDBEB10DFE1E9897EDBBB4FF48340F2140A4E485BA249DB725AA5CB55
                                                        APIs
                                                        • WindowFromDC.USER32(00000000), ref: 100237BF
                                                        • GetCurrentObject.GDI32(00000000,00000007), ref: 100237FF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: CurrentFromObjectWindow
                                                        • String ID:
                                                        • API String ID: 1970099965-0
                                                        • Opcode ID: b4fc28a30c016e0f3434186770363817d1562ad41469c0952657f73b3ef3185f
                                                        • Instruction ID: 5e3447216257589ac88371f0c3b1c154c22f3bd6e68f106655ab8dd4a69be074
                                                        • Opcode Fuzzy Hash: b4fc28a30c016e0f3434186770363817d1562ad41469c0952657f73b3ef3185f
                                                        • Instruction Fuzzy Hash: 9F313770D40308EBDB00DF90D886BADBBB0FB0A751F409065F6087E290E7B19A54DF96
                                                        APIs
                                                        • GetStockObject.GDI32(00000011), ref: 1001ACD1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ObjectStock
                                                        • String ID:
                                                        • API String ID: 3428563643-3916222277
                                                        • Opcode ID: 34811a479ff939bbd0d37306ad3751707146f9b865cac1cf01731385c4780bb4
                                                        • Instruction ID: b9a15d43875d05f13c7aca3fde3137a0688d1b6e1dffe905ed574dcac1c1d11e
                                                        • Opcode Fuzzy Hash: 34811a479ff939bbd0d37306ad3751707146f9b865cac1cf01731385c4780bb4
                                                        • Instruction Fuzzy Hash: AE325BB5A402569FEB00CF98DCC1B99BBF4FF29314F580065E546AB342D379B991CB22
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D531,?), ref: 10025544
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID: Thread
                                                        • API String ID: 367298776-915163573
                                                        • Opcode ID: 0f35051adc867b6f3eb31b1a967cfc10eed751901f350b72bdb8150afa714329
                                                        • Instruction ID: e87a296fab3b19ef06520bc3e141919b3527ea124beb15feda4261f24f1e3c13
                                                        • Opcode Fuzzy Hash: 0f35051adc867b6f3eb31b1a967cfc10eed751901f350b72bdb8150afa714329
                                                        • Instruction Fuzzy Hash: 38F116B5E00259ABEF00DFE4EC81BDDBBB5FF08314F640025F605BA241D7B6A9548B65
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D529,?), ref: 10024841
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID: Process
                                                        • API String ID: 367298776-1235230986
                                                        • Opcode ID: d2f68a8877050e88ca52d3a1b362dc4e0adfd70d905bf2d7a8a251b6a21b3eb8
                                                        • Instruction ID: 84bd04864f9d1e807072be8e5ab147b3cae892089b2f3c2b5496a308401e609c
                                                        • Opcode Fuzzy Hash: d2f68a8877050e88ca52d3a1b362dc4e0adfd70d905bf2d7a8a251b6a21b3eb8
                                                        • Instruction Fuzzy Hash: 85E104B5E41259ABEF00DFE4EC81B9DBBB5FF08304F640025F605BA241EB75A954CB61
                                                        APIs
                                                        • lstrlen.KERNEL32(00000000,000000FF,00000000,?,00000000,00000000,?,0000009C,00000000,?,?,FFFFFF9C,00000000), ref: 10026700
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: lstrlen
                                                        • String ID: #
                                                        • API String ID: 1659193697-1885708031
                                                        • Opcode ID: 7e6295f5caa4a652e8defb0c53b8757dc8115242becb546e1cd2ddf94898e13d
                                                        • Instruction ID: 30fcd15e93819707c4a405128049bbda1367cf8e2b4a4446b34ba685154cf5d7
                                                        • Opcode Fuzzy Hash: 7e6295f5caa4a652e8defb0c53b8757dc8115242becb546e1cd2ddf94898e13d
                                                        • Instruction Fuzzy Hash: 2232CF70D0061DEBEB10DFD0EC99BADBBB4FF48340F618094E495BA199CB715AB58B14
                                                        APIs
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,10007D8B,00000000), ref: 10007EA0
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,FFFFFFFF,10007D8B,00000000,00000000,00000000,00000000,00000000), ref: 10007F7E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide
                                                        • String ID:
                                                        • API String ID: 626452242-0
                                                        • Opcode ID: bda0d135b53912d681397df84b39cfb901c8e1d28ca02e616f5f005ca4c51389
                                                        • Instruction ID: b3f739b553b0eb222627b335ec04950199b8c6fc0fb38b6c76c83e211291c2b2
                                                        • Opcode Fuzzy Hash: bda0d135b53912d681397df84b39cfb901c8e1d28ca02e616f5f005ca4c51389
                                                        • Instruction Fuzzy Hash: 62417C74E0020DFBEB10DFD0EC46BAEBBB4FB08750F204165F618BA195DBB56A608B55
                                                        APIs
                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001368C
                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 10013744
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide
                                                        • String ID:
                                                        • API String ID: 626452242-0
                                                        • Opcode ID: 29862c888924d45c4ba2e300f17eb5bcd02a481ba966d84d668dfe1bb4d5aab7
                                                        • Instruction ID: dea56998412ea2cd2e2e07e98f2853e180ac33eb45cb94fa257388ef996dc557
                                                        • Opcode Fuzzy Hash: 29862c888924d45c4ba2e300f17eb5bcd02a481ba966d84d668dfe1bb4d5aab7
                                                        • Instruction Fuzzy Hash: 543141B5E40309BBEB50DFD49C82FAE7BB4EB04710F108055FA18BE2C1D7B6A6909B55
                                                        APIs
                                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,?,?,?,100172C1,00000000,00000000,00000000), ref: 10017D82
                                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,100172C1), ref: 10017E29
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: EnvironmentExpandStrings
                                                        • String ID:
                                                        • API String ID: 237503144-0
                                                        • Opcode ID: 69d3f48662c60aa8471e2db2691721ec0b878157a118ab2c20fe49b153d34404
                                                        • Instruction ID: 93bfbce67b494b6763231a081cd11fe6566247fc84b5e7443ef84a885c003b65
                                                        • Opcode Fuzzy Hash: 69d3f48662c60aa8471e2db2691721ec0b878157a118ab2c20fe49b153d34404
                                                        • Instruction Fuzzy Hash: 96313675E00309BBEB51DED49C82FAE7BF4EF08704F104065FA08BB242D772AA509B55
                                                        APIs
                                                        • DispatchMessageA.USER32(1001176C), ref: 100116D4
                                                        • CallWindowProcA.USER32(?,?,?,?), ref: 10011714
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: CallDispatchMessageProcWindow
                                                        • String ID:
                                                        • API String ID: 3568206097-0
                                                        • Opcode ID: 4482fe2aa797ff1df0b8a016cfba6ab4f1edf6d8360ca980b76e75974128ba22
                                                        • Instruction ID: 63bf1ad0f6820a7cfc32d841282287ffa4cda79eab35e4a2f1e5c3704b1abdfe
                                                        • Opcode Fuzzy Hash: 4482fe2aa797ff1df0b8a016cfba6ab4f1edf6d8360ca980b76e75974128ba22
                                                        • Instruction Fuzzy Hash: AE21C775E40318EBDB00EF94DCC2A9DBBB1FB0D310F5040A5EA08AB351D371AA90DB52
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: 1d3d201b3cf0f4e34ced4be5fd0ab536c8b491c3572058b51f69840eb97b3778
                                                        • Instruction ID: 90b3556d9a436454375a3f12806074c3db2d9078b135128fdcdde92096655a79
                                                        • Opcode Fuzzy Hash: 1d3d201b3cf0f4e34ced4be5fd0ab536c8b491c3572058b51f69840eb97b3778
                                                        • Instruction Fuzzy Hash: 52C2B7B4F40346ABFB11CA94DCC2B9E77B0EB08390F214165F658FA2DAD7B15E408B56
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000000,00000000,?,?,?,100078F7,00000000,00000000,00000000), ref: 10002169
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000002,00000000,00000000,?,?,?,?,?,?,?,100078F7), ref: 1000222A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide
                                                        • String ID:
                                                        • API String ID: 626452242-0
                                                        • Opcode ID: e01d84eb64cce406f4b39f0ec6733233002c155c01e245fd4058cdbcce10abd4
                                                        • Instruction ID: e83377b6f6ad2707753203cfccfcc485ecbfcdf7635717af9e37d537513bb723
                                                        • Opcode Fuzzy Hash: e01d84eb64cce406f4b39f0ec6733233002c155c01e245fd4058cdbcce10abd4
                                                        • Instruction Fuzzy Hash: 29814D75E00209ABEF00DFD4DC86FEEBBB4EF08340F504065FA14BA285D7B5AA548B55
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D519,?), ref: 1001DD15
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: 9c37b9bfe50d47b947943e5bde51b1b3a93ad00f865aaf561d5891f7ad451c75
                                                        • Instruction ID: 7a99189caa79d54ac912ebbbba7bdc920c16141239c7c74b934a59564cf638f4
                                                        • Opcode Fuzzy Hash: 9c37b9bfe50d47b947943e5bde51b1b3a93ad00f865aaf561d5891f7ad451c75
                                                        • Instruction Fuzzy Hash: 2A6238B5E40348ABEB10DF94DC82F9DBBB5FF08344F244025F608BE292E7B5A9558B51
                                                        APIs
                                                        • PathFindFileNameA.SHLWAPI(00000000,?,00000000,00000000,00000000,00000000,0000001C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001C7F6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: FileFindNamePath
                                                        • String ID:
                                                        • API String ID: 1422272338-0
                                                        • Opcode ID: 6281f69430544266c8e70e44c834c9405fb1c3bbdf4b57ac0b35b949c557e014
                                                        • Instruction ID: f98056538ddd495e24e8dfbf0cad4fd33bc614c33abef30b02bddadc29e55c32
                                                        • Opcode Fuzzy Hash: 6281f69430544266c8e70e44c834c9405fb1c3bbdf4b57ac0b35b949c557e014
                                                        • Instruction Fuzzy Hash: 364240B5A40219ABEB00DF94ECC2F9EB7B4FF5C354F140025EA09BF241E775A9508B66
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D535,?), ref: 10025AFF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: 1d3983c04ef36cd81e02ff80b8e386635ef27858c32e0cbda266982c8d298185
                                                        • Instruction ID: ec57d409bd248faccfe3f0420db7539557fe035a6b0d78d3a35a1a7dfc2ec437
                                                        • Opcode Fuzzy Hash: 1d3983c04ef36cd81e02ff80b8e386635ef27858c32e0cbda266982c8d298185
                                                        • Instruction Fuzzy Hash: AC5208B5E00208ABEF01DF94EC82FDDBBB5FF08314F544029F614BA292D7B5A9548B65
                                                        APIs
                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000000,00000000,00000000), ref: 1001D53E
                                                          • Part of subcall function 10001D56: IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: CodeLibraryLoad
                                                        • String ID:
                                                        • API String ID: 4269728939-0
                                                        • Opcode ID: 65fad49489424e2679975017eff27f475cb1f496b382636ee17d060b9eab1fb1
                                                        • Instruction ID: 8ca3c93d7244418e6012e556740facccd0f38a3c9c4ff1909e44a403dc44f6d3
                                                        • Opcode Fuzzy Hash: 65fad49489424e2679975017eff27f475cb1f496b382636ee17d060b9eab1fb1
                                                        • Instruction Fuzzy Hash: BC421AB5E40318AFEF50EF94DC82BDDBBB1FB08740F500125F618BA295D7B6A9808B55
                                                        APIs
                                                          • Part of subcall function 10028720: atoi.MSVCRT(00000000), ref: 1002877E
                                                        • RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 1000918C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: MemoryMoveatoi
                                                        • String ID:
                                                        • API String ID: 2867837884-0
                                                        • Opcode ID: f552e5f7024ba99e615796b6465fd8c68d714aa37df417cf295f447d032c11c8
                                                        • Instruction ID: c625aa631b3fd7664a23ceac8d029317df328e953ac31412f977eb30fe789f83
                                                        • Opcode Fuzzy Hash: f552e5f7024ba99e615796b6465fd8c68d714aa37df417cf295f447d032c11c8
                                                        • Instruction Fuzzy Hash: 1A023DB5A40216AFFB00DF94DCC1BAEB7A5FF58354F240025E905AB385E7B5B950CB22
                                                        APIs
                                                        • RtlMoveMemory.NTDLL(00000000), ref: 1000665A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: MemoryMove
                                                        • String ID:
                                                        • API String ID: 1951056069-0
                                                        • Opcode ID: eb4082b09fd2d382939d01306d0fc3fdf797f862dfdaeaedf174d431bc084b9e
                                                        • Instruction ID: de403b7ac96d81ad167a5567031b13b093eba99a0845d2f8fdd956dd85fb778c
                                                        • Opcode Fuzzy Hash: eb4082b09fd2d382939d01306d0fc3fdf797f862dfdaeaedf174d431bc084b9e
                                                        • Instruction Fuzzy Hash: 12B151B5A812969BFF00CF58DCC1B95B7E1EF69324B291470E846AF344D378B861DB21
                                                        APIs
                                                        • GetKeyboardLayoutList.USER32(00000040,?,00000000,00000000), ref: 10015BEE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: KeyboardLayoutList
                                                        • String ID:
                                                        • API String ID: 4253248152-0
                                                        • Opcode ID: 44a60376c71096be39f78b695e39bf06f4d8816049d5a531e66a3b74c91e060c
                                                        • Instruction ID: 3f0b898e91331e47705899626b39ccd446a255f5e12301d86a1815f33d743008
                                                        • Opcode Fuzzy Hash: 44a60376c71096be39f78b695e39bf06f4d8816049d5a531e66a3b74c91e060c
                                                        • Instruction Fuzzy Hash: 487158F6E00205AFEB00DFA4ECC2BAE77E5EF58251F540025E609EF341E775A9448B62
                                                        APIs
                                                        • LdrGetProcedureAddress.NTDLL(00000000,00000000,00000000), ref: 10006115
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: AddressProcedure
                                                        • String ID:
                                                        • API String ID: 3653107232-0
                                                        • Opcode ID: b0fdcc2e6f29255798221e87a4cc1c59c4c258f69b8f0650fd83bedbacb84739
                                                        • Instruction ID: 78c0987cb7ffc063797d9a6f9d393f2066e6151a443f59dc1fc5ba499ae867df
                                                        • Opcode Fuzzy Hash: b0fdcc2e6f29255798221e87a4cc1c59c4c258f69b8f0650fd83bedbacb84739
                                                        • Instruction Fuzzy Hash: 564146B5D40209AFEB00DFD4EC81BAEB7B5FF18314F244065E909AB245D375AA54CB62
                                                        APIs
                                                        • LdrGetDllHandleEx.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 1000B6DF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Handle
                                                        • String ID:
                                                        • API String ID: 2519475695-0
                                                        • Opcode ID: 9cc028ce4cef6fd72751e9c02f2673b6ffa45c8eaa4f1332740a5ce7082965a9
                                                        • Instruction ID: f5b1eeb52ae3afd7add8d8d659320dd3d1fa50eb2e7bb74abf840f5972d141ec
                                                        • Opcode Fuzzy Hash: 9cc028ce4cef6fd72751e9c02f2673b6ffa45c8eaa4f1332740a5ce7082965a9
                                                        • Instruction Fuzzy Hash: 6B312FF6D40205ABEB40DF94ECC2B9AB7F8FF18314F184065E90DAB341E375A9548B62
                                                        APIs
                                                        • RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ComputeCrc32
                                                        • String ID:
                                                        • API String ID: 660108262-0
                                                        • Opcode ID: 3b3c4a398f2c335a2580c0c2c9e01d6ed997776affae00ca87f118d2e0373c7b
                                                        • Instruction ID: 885f51156191be290847c32039febb9a430df116088fdaca21ba1fa0fc310e03
                                                        • Opcode Fuzzy Hash: 3b3c4a398f2c335a2580c0c2c9e01d6ed997776affae00ca87f118d2e0373c7b
                                                        • Instruction Fuzzy Hash: FE3149B5E00309BBEB51DFD49C82FBE77B8EF14740F104068FA18BA242D7B6A6509B51
                                                        APIs
                                                        • GetSystemDirectoryA.KERNEL32(00000000,00000100), ref: 10018935
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: DirectorySystem
                                                        • String ID:
                                                        • API String ID: 2188284642-0
                                                        • Opcode ID: 2c93ccefffdd24751a113a6a8b127da9d46669cbde7100af002d9a110044543e
                                                        • Instruction ID: ee8817d9cef94c28fb543e8b0ac086dfa591c469ffb5e13cc4bb05c5ca752fcb
                                                        • Opcode Fuzzy Hash: 2c93ccefffdd24751a113a6a8b127da9d46669cbde7100af002d9a110044543e
                                                        • Instruction Fuzzy Hash: 2F115875E00309BBEB40DEE49C42BAD76A8EB08754F241469F608FB241D771AB809756
                                                        APIs
                                                        • IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Code
                                                        • String ID:
                                                        • API String ID: 3609698214-0
                                                        • Opcode ID: a6e85c84f7705da1f0b0ef0dca21cf6d2d6468ef5f288cf7089c26cb1776d2a9
                                                        • Instruction ID: e6d0952806afafb3bf167878436ee8aac056beef16ad5c6831721f9da55ad4d1
                                                        • Opcode Fuzzy Hash: a6e85c84f7705da1f0b0ef0dca21cf6d2d6468ef5f288cf7089c26cb1776d2a9
                                                        • Instruction Fuzzy Hash: E8118B70900209FBEB60DF64CC05BED7BB4EF01390F2041AAED08AA1D4DB729A15DB85
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D4C9,?), ref: 10013C79
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: 8f3db6529a380ad884801686893290e76bb9e31a8db3e312d6667318ca493a2c
                                                        • Instruction ID: 374fef4b2e02d52e2e07c0ca9dad6c55ed4794edc6ac8ae58a0c039705d7fb64
                                                        • Opcode Fuzzy Hash: 8f3db6529a380ad884801686893290e76bb9e31a8db3e312d6667318ca493a2c
                                                        • Instruction Fuzzy Hash: CC0171B5E0020DABDB00FFE09D82BAEBBB9EB04301F404466F50876105EB71EA549B92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D50D,?), ref: 1001A092
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: 5f714afee4867c402fc67ecef455e1855603a07155a017b7538eac9aa4686da4
                                                        • Instruction ID: cb7720b851b721871b731c706f7cbe3d90cdbd700e2746e4ab45e97b10e25004
                                                        • Opcode Fuzzy Hash: 5f714afee4867c402fc67ecef455e1855603a07155a017b7538eac9aa4686da4
                                                        • Instruction Fuzzy Hash: 5C018DB5D00218ABDB11FFD09C82B9E77B8EB09341F804466F50476111D7719B988792
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D51D,00000040), ref: 100228E3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: 194b0fc893c5977093f79026a72dc70755a1496586ec811bd8de5678d100e2c9
                                                        • Instruction ID: c1b15002a30057ddc80440081b4ff6bc33ecde6fccf9cd62e387e343abd0d63a
                                                        • Opcode Fuzzy Hash: 194b0fc893c5977093f79026a72dc70755a1496586ec811bd8de5678d100e2c9
                                                        • Instruction Fuzzy Hash: DF014DB5D0021DFBEB10EFE0AC82B9E7778EB14644F904066F50466151EB719B549B91
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D3FD,08000000), ref: 10006CF7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: 23192da6ecbc83458441ebdd5d9c372dffc65ab0074d72a51acdd461767757be
                                                        • Instruction ID: 4cade7ef096b15f562c821cb4de08ab4d3fc558eeb9d0de8a70c828ff9c11a3c
                                                        • Opcode Fuzzy Hash: 23192da6ecbc83458441ebdd5d9c372dffc65ab0074d72a51acdd461767757be
                                                        • Instruction Fuzzy Hash: 170175B5E0020DEBEB00EFE0EC82FAE7B79EF04240F504066E51566105D771AB549B92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D481,00000000), ref: 1000FD11
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: 4a2eef44144669db4c1f9733a33db670b7915dec5e8fa15a72f47dd6e77bff96
                                                        • Instruction ID: 0aed2d4544eee8039acc50f3c1f3685790efcc1e5774387d789b9b1403c596f7
                                                        • Opcode Fuzzy Hash: 4a2eef44144669db4c1f9733a33db670b7915dec5e8fa15a72f47dd6e77bff96
                                                        • Instruction Fuzzy Hash: 9A0188B5D0430DABEB10FFE09C82FAE7779EB04280F40046BF505A6505DB71AA14EB92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D3E1,00000004), ref: 10003177
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: da42de84fdc45480a06cd4378e972f835c842b750d11b0a6ad2ad2daa698017b
                                                        • Instruction ID: 385097fba51063c84e9e930c69dc2d7aac367372f62906f312b1c310141ed2ce
                                                        • Opcode Fuzzy Hash: da42de84fdc45480a06cd4378e972f835c842b750d11b0a6ad2ad2daa698017b
                                                        • Instruction Fuzzy Hash: 40015275D00208E7EB01EFE09C92BEF7B78EB08280F404066E51566155DB71AA149B92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D485,00000000), ref: 1000FDAE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: 1a48310d62d447e18139df79d4c208d7064efbc4de3590175f6bd695f184c1e5
                                                        • Instruction ID: 3f7b499d2902c1e46d25e5c31060a7ca09a1136a131adf16b63838e7b32e6cd5
                                                        • Opcode Fuzzy Hash: 1a48310d62d447e18139df79d4c208d7064efbc4de3590175f6bd695f184c1e5
                                                        • Instruction Fuzzy Hash: 0B018875D0024CABEB00FFE0DC82EAE7779EB05380F50006AF505A6115DB716A54EB92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D43D,?), ref: 10008E04
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: afcca2c59449e325cff3936334e354c9cd28eb17edf5175cf760837ed83860e1
                                                        • Instruction ID: 4c97a0654b066084171f968f8b0ad47121c2de6078470ba5a976a0987d87b010
                                                        • Opcode Fuzzy Hash: afcca2c59449e325cff3936334e354c9cd28eb17edf5175cf760837ed83860e1
                                                        • Instruction Fuzzy Hash: EC0175B5D00219E7EB00FFE0EC82BAE7B78FB14240F504466F54566145EB716B549B92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D40D,00000008), ref: 10007E19
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: c28a3b2f2e25cb6acfcff6b005e4e53fcd9242a91f843676d212f9070d1610bf
                                                        • Instruction ID: 3b8a368ce3914a44cda768e978636fd60f477d925661c7c420499c797e447cb4
                                                        • Opcode Fuzzy Hash: c28a3b2f2e25cb6acfcff6b005e4e53fcd9242a91f843676d212f9070d1610bf
                                                        • Instruction Fuzzy Hash: 9B0171B5D00249ABEB00FFE0EC82AAEBB78FB04240F404466E60966115DB75AB549B92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D441,?), ref: 10008EA1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: b38c6ebf94637de38798da6e1c23dd87dd1bdd738f4a7bbe3db8cae8409ee598
                                                        • Instruction ID: 1686f6cdf9a679c1f5c84585fd33387023eb604c586a5dba44084a63d2e43e5f
                                                        • Opcode Fuzzy Hash: b38c6ebf94637de38798da6e1c23dd87dd1bdd738f4a7bbe3db8cae8409ee598
                                                        • Instruction Fuzzy Hash: 9C0171B5D00359ABEB10FFE0DC82BAEBB78FB04380F400066E64576115EB71AB54CB92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D47D,00000000), ref: 1000FAD0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: 2ecd14835ddfe2db98adf362f1cc27abc66221ca3baeee4228986d5531294eba
                                                        • Instruction ID: 82e752f980966cf0ba4425328bdbe0b5f15696934bb6f442517d9b0340b204dc
                                                        • Opcode Fuzzy Hash: 2ecd14835ddfe2db98adf362f1cc27abc66221ca3baeee4228986d5531294eba
                                                        • Instruction Fuzzy Hash: 510179B5E00209EBEB00FFE09C82AAEB778EB05240F504466F54566145EBB16654DB92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D521,00000000), ref: 10022AE1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: c21c2a8c4cec09cdedbb30eba6480203a51324f4c4c5902b1b0fefa990e6b838
                                                        • Instruction ID: 1a66ded8f8981fca5c39a2578b95296ca62aec53b1f76630b0cdbd515d7a4f8c
                                                        • Opcode Fuzzy Hash: c21c2a8c4cec09cdedbb30eba6480203a51324f4c4c5902b1b0fefa990e6b838
                                                        • Instruction Fuzzy Hash: D60175B5D00308BBDB11EFE0AC82FEEBB78EB14344F400066E90566501E7B56B14DB92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D4B9,10026CF1), ref: 10011EEA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: 387a02cd27c85a9e9645a962391e1fc87b5c3584c8544df15e9cc9309148cd0f
                                                        • Instruction ID: ae9516facd56fc145b0b9ba1995b908798816dd09d6beae3d77d7b55205b3fe1
                                                        • Opcode Fuzzy Hash: 387a02cd27c85a9e9645a962391e1fc87b5c3584c8544df15e9cc9309148cd0f
                                                        • Instruction Fuzzy Hash: AF0184B5E0420CABDB00FFE0EC82BEEBBB9EB04244F400466F5056A111DB75EA549B92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D525,00000000), ref: 10024745
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: 16372e4eb88579a8b12f2817b7d5f3197544eee2f9c96a83dd2f20b74f294324
                                                        • Instruction ID: 4f30fde94411f2541dcfd4e169ebb1e46575794177a9fc60b21b5106f81313a2
                                                        • Opcode Fuzzy Hash: 16372e4eb88579a8b12f2817b7d5f3197544eee2f9c96a83dd2f20b74f294324
                                                        • Instruction Fuzzy Hash: 1001D8B5D0431CA7DB00FFE0ACC2FAEBB78EB05300F810465E51566101EBB16A14DB92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D435,?), ref: 10008B88
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: c9e7b862b60fe74ed4fe71638f98d4edbead8bac7f3d7a8f9d653b4e1fb7c940
                                                        • Instruction ID: 91e5747cc3fe246938bda6916c84b67a4fdfd623eeedb860250414ba6297eca5
                                                        • Opcode Fuzzy Hash: c9e7b862b60fe74ed4fe71638f98d4edbead8bac7f3d7a8f9d653b4e1fb7c940
                                                        • Instruction Fuzzy Hash: 7B0171B5D0020DABEB50FFE49C82EAEBBB8FB04240F500466E54466115EB71AB14DB92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D411,?), ref: 1000839E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: 278c620e1e7e4d768f896ce18c2c498cb7bc6a05be8e6297497d5f0b97cf32e1
                                                        • Instruction ID: 31dc5b1c38583c82a0824eac09af333b299f07736d69ab93248bda9d1065cdb0
                                                        • Opcode Fuzzy Hash: 278c620e1e7e4d768f896ce18c2c498cb7bc6a05be8e6297497d5f0b97cf32e1
                                                        • Instruction Fuzzy Hash: 390175B5D04308A7EB40FFE09C82AAE7778FB04640F405476F54466145D771AB54CB92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D44D,00000000), ref: 1000B3B4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: 76ce89a9342da98fe2dfecb2c94b98527dad8150a52251657d2f7bd5707e59c8
                                                        • Instruction ID: a0f89ea6e8a02a489adc9b983919e457af64c69ca27a1623b1b8ea733fed46f6
                                                        • Opcode Fuzzy Hash: 76ce89a9342da98fe2dfecb2c94b98527dad8150a52251657d2f7bd5707e59c8
                                                        • Instruction Fuzzy Hash: 5F0184B5D0030CEBEB00FFE0AD92FAEBB78EB04240F504066F50466145DBB1AB54DB92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D4C5,00000014), ref: 10013804
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: df7046381827650c065037a5133842a2a86736d1ba20d916eef21a95625819b6
                                                        • Instruction ID: 3d49d6b3b442fbd771079eef3efcaca9525747ce25c9376b7200e1962427cb25
                                                        • Opcode Fuzzy Hash: df7046381827650c065037a5133842a2a86736d1ba20d916eef21a95625819b6
                                                        • Instruction Fuzzy Hash: 420152B5D04309A7EB00FFE09C82AAEB778EF04240F504066F50466151EB75AA54DB92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D439,?), ref: 10008C25
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: 1ec75bcf5a5c2b71d65e273564a3b3c9b1f3326e431629a853761c1f5ea93f69
                                                        • Instruction ID: e89bca5dfd4d69b457f6ee300803ba63458d7d33b5f739f05a8734b2afd2cb97
                                                        • Opcode Fuzzy Hash: 1ec75bcf5a5c2b71d65e273564a3b3c9b1f3326e431629a853761c1f5ea93f69
                                                        • Instruction Fuzzy Hash: 4C0171B5D00209ABEB00FFE49CC2EAEBB78FB04240F900466E55566116DB71AB549BA6
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D4D9,?), ref: 10014029
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: 2023bc8ebed8db9c71d14d41a16ae57d1e69fa0acd5bbe78306c23398d50d97a
                                                        • Instruction ID: 2564c689c805b87f96d1dc3a9772f8e9f463aef008d258d62ef8b45eff4f05b1
                                                        • Opcode Fuzzy Hash: 2023bc8ebed8db9c71d14d41a16ae57d1e69fa0acd5bbe78306c23398d50d97a
                                                        • Instruction Fuzzy Hash: 8E01D875D0030CA7DB11FFE09C82F9E7779EB08300F400026F615A7112DB75EA549B92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D409,00000001), ref: 10007C2B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: 61d08e19df0a214d9286b1d052d7edc03e2565f5d48c7273754c1c18bed95e81
                                                        • Instruction ID: c3b43e173740565f2226f67ccfeaefedf346a2cdf78e56352eac70fc933f1a03
                                                        • Opcode Fuzzy Hash: 61d08e19df0a214d9286b1d052d7edc03e2565f5d48c7273754c1c18bed95e81
                                                        • Instruction Fuzzy Hash: B0017575D0020CA7FB00FFE09C86F9EBB78FB14340F44446AE61966105E775AA549B92
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D52D,00000000), ref: 10025448
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: c904fddc6ddc8d15f4d357e5ecb68cc14fb2d08915d767a0cb86d415350261cd
                                                        • Instruction ID: 3e1362fdfd7180a89e2653fc66fb6b654d9ba0ea71b3ee1e512a707afa301e7c
                                                        • Opcode Fuzzy Hash: c904fddc6ddc8d15f4d357e5ecb68cc14fb2d08915d767a0cb86d415350261cd
                                                        • Instruction Fuzzy Hash: 730188B5D0021CA7DB00FFE0AC82B9EB7B8EB04345F904467F90566111D7B29A549B96
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D451,00000000), ref: 1000B451
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: 51b26b4892ccffcc6dc83c2534fb8f59ce223cf36af1d5fc13b3d33c47b94d86
                                                        • Instruction ID: 8d0e244bf49903d48fd7c686830ea074e98c76a4a96eec9f774984162f9bf409
                                                        • Opcode Fuzzy Hash: 51b26b4892ccffcc6dc83c2534fb8f59ce223cf36af1d5fc13b3d33c47b94d86
                                                        • Instruction Fuzzy Hash: BF0148B5D0431DABEB00FFE09C82FAEB778EB14340F904465F50566116EB71AB54DB92
                                                        APIs
                                                        • GetAncestor.USER32(100236B8,00000001,?,?,100236B8), ref: 1002371A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Ancestor
                                                        • String ID:
                                                        • API String ID: 4063365101-0
                                                        • Opcode ID: 0be6b4715263265285db1f468f36bdd37c7f824151cbff8a336d8021942bab24
                                                        • Instruction ID: eb8589c6fe16dd3324ac60df81f06840749ea93634a8b87ae7cb4ae9ae9ba44e
                                                        • Opcode Fuzzy Hash: 0be6b4715263265285db1f468f36bdd37c7f824151cbff8a336d8021942bab24
                                                        • Instruction Fuzzy Hash: C3F03CB4E44308EBDB10EF90E9467ADFB70EB06741F509065E6047B180E7B25A509A8A
                                                        APIs
                                                        • CreateMutexA.KERNEL32(00000000,00000000,00000001,00000001,00000000,00000000,00000001), ref: 100101C4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: CreateMutex
                                                        • String ID:
                                                        • API String ID: 1964310414-0
                                                        • Opcode ID: d12216730a6dd428996d56869a6fc80ed1219f4cbb400b599376012f3700107f
                                                        • Instruction ID: 16cce99742d90ffd21a6e538df0c97e42957f62968f0f4cbc8e65f9f29ad9446
                                                        • Opcode Fuzzy Hash: d12216730a6dd428996d56869a6fc80ed1219f4cbb400b599376012f3700107f
                                                        • Instruction Fuzzy Hash: D8F03970E45208FBDB21EF95DC02BADBB74EB05741F1080A5FA087A180D7B5AB509B95
                                                        APIs
                                                        • ReleaseMutex.KERNEL32(?,1000702C), ref: 1000635D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: MutexRelease
                                                        • String ID:
                                                        • API String ID: 1638419-0
                                                        • Opcode ID: 409f3bf5a2a7effd3d518b78c876aaf5ee200c7d662fef1c20eca6aafb3e8a79
                                                        • Instruction ID: 7b3213fa97c1f7abe5e99e727b00606adf76b996470ce0c1231a1946aded7527
                                                        • Opcode Fuzzy Hash: 409f3bf5a2a7effd3d518b78c876aaf5ee200c7d662fef1c20eca6aafb3e8a79
                                                        • Instruction Fuzzy Hash: 3AD017B0D45308B7E610AE90EC03B69BA34D706761F105161FA082A190E6B2AB2496DA
                                                        APIs
                                                        • HeapAlloc.KERNEL32(00000008,00000000), ref: 1000F7E5
                                                          • Part of subcall function 1000FA6F: InterlockedExchange.KERNEL32(1002D47D,00000000), ref: 1000FAD0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: AllocExchangeHeapInterlocked
                                                        • String ID:
                                                        • API String ID: 3051970009-0
                                                        • Opcode ID: 022b8115eb5ce5199829a80c414696cba4458c1422a7b80e9c996825c196cccc
                                                        • Instruction ID: 8cc4e7238832c14419a96c129bec8d194933ec370394a89dab4d823145446c67
                                                        • Opcode Fuzzy Hash: 022b8115eb5ce5199829a80c414696cba4458c1422a7b80e9c996825c196cccc
                                                        • Instruction Fuzzy Hash: 51310270D40209FEFB11DFA0CC02BEDBBB5FB04780F208169F614BA194DBB56A54AB55
                                                        APIs
                                                        • HeapAlloc.KERNEL32(00000008,?,?,10026C94), ref: 1000247B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: AllocHeap
                                                        • String ID:
                                                        • API String ID: 4292702814-0
                                                        • Opcode ID: 0dd204370fe18862268228c1c8de2b552e2688217c670dbeba92eeddf2ae1a81
                                                        • Instruction ID: 104a27a5d458cbbbe33f9f96244b29e3d4c33b82fd0089700704125604d1dba2
                                                        • Opcode Fuzzy Hash: 0dd204370fe18862268228c1c8de2b552e2688217c670dbeba92eeddf2ae1a81
                                                        • Instruction Fuzzy Hash: BDE08634D85308B7E610EF40DC03F29BA38E702751F508012FA083A090D6B25A649B87
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 81006eb9e473d180177001475ccb3f5d85a486848d635e7b77511459b26a50e2
                                                        • Instruction ID: b82dc38e16616ddd987b864122364eac5c1fff58b477e30fd6f02d7e5179368c
                                                        • Opcode Fuzzy Hash: 81006eb9e473d180177001475ccb3f5d85a486848d635e7b77511459b26a50e2
                                                        • Instruction Fuzzy Hash: 85721AB5E40309ABEB00DF94ECC2FDDBBB5EB0C354F644025F604BA296D7B269548B25
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e69f0c751b4262d556ab7d8e659c133a8de82433dc850d146ab5d350a12c39cd
                                                        • Instruction ID: 551f598227d6dd39184c223fb6ed838a91ab17f663f6174eca7434abf6d8a969
                                                        • Opcode Fuzzy Hash: e69f0c751b4262d556ab7d8e659c133a8de82433dc850d146ab5d350a12c39cd
                                                        • Instruction Fuzzy Hash: 40624CB5E41208BBEF11DFD0EC82BDDBBB5EF08354F204029F604BA291D7B5A9958B14
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6d84f2b69ea6095c90f23bd9b6d1a5a8279a6636e2ec472cfa5718089ee139e8
                                                        • Instruction ID: a5955423d14317f839d9afbcb2b9ced9374c1de9beecc9198591da7258e3e5d6
                                                        • Opcode Fuzzy Hash: 6d84f2b69ea6095c90f23bd9b6d1a5a8279a6636e2ec472cfa5718089ee139e8
                                                        • Instruction Fuzzy Hash: 5D32F7B1B412529BFB00CF58ECC0B59B7A5EFA9324F290074E946AF341D379B861DB61
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f04032a532c17935709fed7173e226e9a954ec38d62b032ac7340ce8b9de18a0
                                                        • Instruction ID: 3de84c3e889b2c0bc8bcd444dabd38468fbc88aeca599d708b385d83fa676b17
                                                        • Opcode Fuzzy Hash: f04032a532c17935709fed7173e226e9a954ec38d62b032ac7340ce8b9de18a0
                                                        • Instruction Fuzzy Hash: 8E22F8B2B812529BFB00CB58ECC0B55B7A5EFA5328F290474E9469F341D379F861DB21
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 060caa462227d063eaf04c7f21a9b9660bb70fdd2aceff3ad377bb009bd70efe
                                                        • Instruction ID: 2248021ac5db34a560a572e85a1c1eea5c01ad721331a673fc7f7bdbc18de49f
                                                        • Opcode Fuzzy Hash: 060caa462227d063eaf04c7f21a9b9660bb70fdd2aceff3ad377bb009bd70efe
                                                        • Instruction Fuzzy Hash: 90524471D00259CBEB20CFA4D8857DDBBB0FF48344F2180A4D599BB249DB756AA5CF90
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 09f72d9719a13788e266dacaba0ea585b20990d3c1d733c69aa7536c06bb4951
                                                        • Instruction ID: fa5432d9c06c826fba32fdae05fe74482de4f60f477d8ade94ddac0ef3f6a6e0
                                                        • Opcode Fuzzy Hash: 09f72d9719a13788e266dacaba0ea585b20990d3c1d733c69aa7536c06bb4951
                                                        • Instruction Fuzzy Hash: 602215B5E00309AFEF10CF94DC82BEEBBB0FF09354F204025EA14BA296D77569548B65
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 68d3902ef48eb2b0ea1e98523cf84d220f884a2bc31b4a3403d1743386bbda7f
                                                        • Instruction ID: 15cd058cb613ad93b2deb671447fd93daff6b1ebb966e0e7c4ee6c7ed785d811
                                                        • Opcode Fuzzy Hash: 68d3902ef48eb2b0ea1e98523cf84d220f884a2bc31b4a3403d1743386bbda7f
                                                        • Instruction Fuzzy Hash: BDA160B5E00209ABEB40DEE4DC85FDE7BB8EF08354F144065FA04AA241EB75EB94CB51
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7200f153caa90d48a9700c6273f72d88bef546347f9c4dfa1c1c74185b342bdd
                                                        • Instruction ID: 14e6b09ccae86c50f75a937e7e6fe01258ff4770b1647dfaac81a6f85d8f69f1
                                                        • Opcode Fuzzy Hash: 7200f153caa90d48a9700c6273f72d88bef546347f9c4dfa1c1c74185b342bdd
                                                        • Instruction Fuzzy Hash: 7A911EB5E0020AABEF10DF94DC85B9E7BB5EF18344F204025FA14BB281D775EB948B65
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f29243b0d0ea20511f4cb1106b1515d46eb23fc76d8db8d1afdd2d9a1039e213
                                                        • Instruction ID: 03d07b771d78d2ead9be031f4861621435dfbb7e08fb32216ea170559a01278e
                                                        • Opcode Fuzzy Hash: f29243b0d0ea20511f4cb1106b1515d46eb23fc76d8db8d1afdd2d9a1039e213
                                                        • Instruction Fuzzy Hash: 078123B5E4025AABEF00CF94ECC1B9DBBB4FF19310F640025E549BB245D775A851CB25
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bd0974059ae252d5b90eb8f6432f6ddda83af5d10b71b803c1f1bc6c84e1fa75
                                                        • Instruction ID: fa026d6154386471c9ed67b0d764591261ae5350a3fbb2125f892fb7990afb2f
                                                        • Opcode Fuzzy Hash: bd0974059ae252d5b90eb8f6432f6ddda83af5d10b71b803c1f1bc6c84e1fa75
                                                        • Instruction Fuzzy Hash: 7D7135B5E4125AABEF00DFA8ECC1B9DBBB4FF18310F650025E545BB241DB75A851CB21
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ObjectSelect
                                                        • String ID:
                                                        • API String ID: 1517587568-0
                                                        • Opcode ID: 355770622b8ee66c6704d228f7a4cf4399a8d1d5d808ebab5a82fa4d81647a92
                                                        • Instruction ID: 38d14c2f8622cd03f50353335eeab2373c5cbc47d148ebdcbde86e05c5d9d7ee
                                                        • Opcode Fuzzy Hash: 355770622b8ee66c6704d228f7a4cf4399a8d1d5d808ebab5a82fa4d81647a92
                                                        • Instruction Fuzzy Hash: 4E6134B1E40349ABEB10DFE4DC86FEF76F4EB05704F500425F615BA281D7B6AA848B52
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ComputeCrc32CreateMutex
                                                        • String ID:
                                                        • API String ID: 2647859408-0
                                                        • Opcode ID: fb765643ddb528c65f4c8254d2e67b215b37ca112bcddd59e63a3746b6e22e82
                                                        • Instruction ID: 6e8f39effab6ffe8abe8ce8b2f006d743ef601de1a83054572dbacb1371b805f
                                                        • Opcode Fuzzy Hash: fb765643ddb528c65f4c8254d2e67b215b37ca112bcddd59e63a3746b6e22e82
                                                        • Instruction Fuzzy Hash: FA611274E40319EBEB00EF91DC87BEEBB71EB05750F200026F6147A191D7B1AA51DB96
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 177ff9bcddc0062e541eb72a297809aa775245e2e6d8d1f130c2bdda6e790eca
                                                        • Instruction ID: b3edc6188f52fe0267c65f768a9f0694fa0e22adacd15ae2cea2a64ff053d747
                                                        • Opcode Fuzzy Hash: 177ff9bcddc0062e541eb72a297809aa775245e2e6d8d1f130c2bdda6e790eca
                                                        • Instruction Fuzzy Hash: E4512774E40316ABEB10CF94DC96FAE77B4EF04700F604019FA49BE291D7F59A948B92
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 999cff3d56ebaad1770f9eebce6b814e78184f0733c47f680aeb2efe81abf9bb
                                                        • Instruction ID: 3ff1e0272834ebdf1ae0fa1b74ff5d017005019b99e03679453d0ba0a45af6fd
                                                        • Opcode Fuzzy Hash: 999cff3d56ebaad1770f9eebce6b814e78184f0733c47f680aeb2efe81abf9bb
                                                        • Instruction Fuzzy Hash: E2512EB5D0021AABEB00DF94DCC1BAE77B4FF18314F140465E508EB301E775AA50CB62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 848507941d9fbffb7cbc7b29cbefd203ef99eb4224134117eb04a7a1748b5fdf
                                                        • Instruction ID: 740361c2a2a7975ea98c5d6579f5497acae074faf2527958cbce1f24f1a7fcbb
                                                        • Opcode Fuzzy Hash: 848507941d9fbffb7cbc7b29cbefd203ef99eb4224134117eb04a7a1748b5fdf
                                                        • Instruction Fuzzy Hash: 84516B75E00209EBEB00CF94DC86FAE77F4EB05344F654055F914BE281E776DA948B62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c551d9ee4e18ac04d199571815a8ce167b17ea29bf87976a5931350147ad1b07
                                                        • Instruction ID: 6e2a16805fa032cb188a6ab09911055340e312e86faa01d054a0585f1b90ccec
                                                        • Opcode Fuzzy Hash: c551d9ee4e18ac04d199571815a8ce167b17ea29bf87976a5931350147ad1b07
                                                        • Instruction Fuzzy Hash: 14312270D44609EBEF00EF80DC46BAEBB71EB06355F205169FA043A191D3B64A54DF9A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4f752ba2bd3efe35c0db813093cd95cfd95bebb34e1c0840b79ae46e9a3f7aa2
                                                        • Instruction ID: fcd9660d6a72fe45eefc1d8f4cbc8b5498bd8d2469cb5e857af72b9432f5bd19
                                                        • Opcode Fuzzy Hash: 4f752ba2bd3efe35c0db813093cd95cfd95bebb34e1c0840b79ae46e9a3f7aa2
                                                        • Instruction Fuzzy Hash: F3313575E40308AFEB50DF94DC82B9DBBB4EB0C741F504065F608EB745E7B59A409B52
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bcbbfe027ddbde3ca2b7ee6e7a9b101e6e640faf627c7a0eeba07689440a2c60
                                                        • Instruction ID: 0e6d90bd3a1296b327673a782b8a2de37a0e9d786c9d2f722c0ab1c87383cc98
                                                        • Opcode Fuzzy Hash: bcbbfe027ddbde3ca2b7ee6e7a9b101e6e640faf627c7a0eeba07689440a2c60
                                                        • Instruction Fuzzy Hash: 69317375E40308AFEB40DF94DC82B9EBBB4EB08340F504075E608EB696E3B56A409B52
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 918643da65e37feeb39471fc9b76e24dac407e2b29faf6ea47c3fc6075c6ae67
                                                        • Instruction ID: f5bd11c3930f14deff6542fe37b9d91d6d9d9f7f47c674184f68d859604aa839
                                                        • Opcode Fuzzy Hash: 918643da65e37feeb39471fc9b76e24dac407e2b29faf6ea47c3fc6075c6ae67
                                                        • Instruction Fuzzy Hash: 8821F975A04209EFEB41CF90CD82BAE77F8EB05754F244015B908BA181E7B5EAD09B62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ef8a370add3d5418976353e0fc23bf6dee6b9d923330f9d60947765b51f42246
                                                        • Instruction ID: cb764db9af18425858f0870d561dcf750e8236d090e6b6f48ce3485ee4cf3179
                                                        • Opcode Fuzzy Hash: ef8a370add3d5418976353e0fc23bf6dee6b9d923330f9d60947765b51f42246
                                                        • Instruction Fuzzy Hash: 7E114634845224FBEA11FF90DC42B68BBA1E712345F215067F6042A0B5DBB2ADD6DA42
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 37003275f3eaa72a6ef67eca1d876927b20d3cea41f567a5b2a029eb66a1c75e
                                                        • Instruction ID: eeae7fc577553641f4f664837c49950aecc16b69e97dd8631aebf4018e73b438
                                                        • Opcode Fuzzy Hash: 37003275f3eaa72a6ef67eca1d876927b20d3cea41f567a5b2a029eb66a1c75e
                                                        • Instruction Fuzzy Hash: FA2137B090060AEAFB10DFA0C844BEEBAB8FB05380F204271F990A6198D7349AD5D754
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5e64809ee3449bf2a7df32ff2943633b8c15e644a62c7bb0cedcca55993e9baa
                                                        • Instruction ID: ba505964bce734d70dae5fb9ba97fd24188bee46f8c6b217aecce00d80479512
                                                        • Opcode Fuzzy Hash: 5e64809ee3449bf2a7df32ff2943633b8c15e644a62c7bb0cedcca55993e9baa
                                                        • Instruction Fuzzy Hash: C9112875D00208FBEF00DF90C84579DBBB0EB05345F508069F908AE290DB759B94DB91
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e2f1484a5e89f92b7548bae6589aecaccf6235fa81f97c2c0215c37c853ae1f6
                                                        • Instruction ID: 8996d56321af788ecdb48f59df6a7f6deac0e56e76c4d4795bf28b9d59f37b7c
                                                        • Opcode Fuzzy Hash: e2f1484a5e89f92b7548bae6589aecaccf6235fa81f97c2c0215c37c853ae1f6
                                                        • Instruction Fuzzy Hash: D3110975D0020DABEB00DFD0DC46BAEBBB8FF04704F104455F914BA190E7B2AB549B91
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dea71471854b7794d7273d518db6e4b972dc62c76027c577b271c860ea424262
                                                        • Instruction ID: aa05f780bf07b04a9dbad2cba23d858d9fb5007feb3f8ac9aeeac6949bb19c5c
                                                        • Opcode Fuzzy Hash: dea71471854b7794d7273d518db6e4b972dc62c76027c577b271c860ea424262
                                                        • Instruction Fuzzy Hash: 07015335980208FBEF11DFA1DD02BDEBB74EB00350F108022BA146E1A0D772DAA0ABC1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 621178d27eafce4a1d86bdd6d4636c6e0afcccb944ec7a99f9e7a057a9f1ad00
                                                        • Instruction ID: f86e8bef0b9f5b7b48e3b9b3acc0b6cb1fd06cabc4355fe6e2609782588421e0
                                                        • Opcode Fuzzy Hash: 621178d27eafce4a1d86bdd6d4636c6e0afcccb944ec7a99f9e7a057a9f1ad00
                                                        • Instruction Fuzzy Hash: B401EC7594020CBEEF11DF80DC42FEDBB79EB09740F108051FA046D091D7B29AA5AB95
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7397f0f5fb6be8bcaaa4e77a6887201b2645371ef3c2632b50f96f60a1aee293
                                                        • Instruction ID: e7353d8a689e469959c960a5bb5359493e28a0ae3a5db89d5c895ffd79e8d98e
                                                        • Opcode Fuzzy Hash: 7397f0f5fb6be8bcaaa4e77a6887201b2645371ef3c2632b50f96f60a1aee293
                                                        • Instruction Fuzzy Hash: 64F04970D00208FBEB10DF90CC06BADBFB0EB01341F204065F9007A1A0D7B6AB94DB85
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2d443f961325e826377ab455a3b784cc22cadc769fa486d24d41cd9801f717dc
                                                        • Instruction ID: 682ee749917f4e023bc7197140f76a097522797ecf20c1f45cbbd45c019d52a4
                                                        • Opcode Fuzzy Hash: 2d443f961325e826377ab455a3b784cc22cadc769fa486d24d41cd9801f717dc
                                                        • Instruction Fuzzy Hash: 3CF0FE74D44258EBDB14EE90D8057EDBA74E706305F504266EA04AE190D3B18BA4DB96
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7cdb49a0a6253429c80267c98a25499fd9d93a71a0b292b5a728f2a2f59ffa35
                                                        • Instruction ID: 02fc14b9e54e6900d73ffd4e28a19c8708dbe27031dd51c44bf3dba7fdb031ba
                                                        • Opcode Fuzzy Hash: 7cdb49a0a6253429c80267c98a25499fd9d93a71a0b292b5a728f2a2f59ffa35
                                                        • Instruction Fuzzy Hash: ECF05474A00308FBEB21CF94CD81B9CBBB0EF09300F2080E4FE0467381E6B15A509B51
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 19f0f76c576cdd84307bd26bd9b5886d4290dca15e1ac3f3f611f9243f0388a9
                                                        • Instruction ID: bbfaceb90791bb35eed418166a23c42ee1e6653db07919fbe020635ad9369783
                                                        • Opcode Fuzzy Hash: 19f0f76c576cdd84307bd26bd9b5886d4290dca15e1ac3f3f611f9243f0388a9
                                                        • Instruction Fuzzy Hash: B9F03975D00218EBDB00EE90D80ABAEBA78EB15301F100465EA086E190D3B59B54DA96
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 07f80700cc5210cda7409edc569743553da25c12f3afe71f335ab42793a68d5e
                                                        • Instruction ID: 33dc01a3c2299a3cd355405e5767cb27c6d7fba89f237eed4e622fd5132f0db0
                                                        • Opcode Fuzzy Hash: 07f80700cc5210cda7409edc569743553da25c12f3afe71f335ab42793a68d5e
                                                        • Instruction Fuzzy Hash: 5AE08C34D49308B7D610EF40AC87B28BA35E706701F505056FA043A090E7F2AA649A8A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 13fe8401390d9f71333325ae1b2cb84fa7ba5aa184835648c676b8c7a690914e
                                                        • Instruction ID: 761fadcd4debd2308a54b226b4f8dff580185d7010702b48f65d1b5b1071df53
                                                        • Opcode Fuzzy Hash: 13fe8401390d9f71333325ae1b2cb84fa7ba5aa184835648c676b8c7a690914e
                                                        • Instruction Fuzzy Hash: 66E08C34D45308B7D610EF50EC43B6CBB34E707700F108056FA083A1A0D7B29E60ABCA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 989ed4646566f77c2ab72184739a9137b5d7eae5940c08cbaa9d6fc56a31f36c
                                                        • Instruction ID: 1fae9ae4253266a87bc96311d46508b5db8f13d56845d8971887a42445dbbd4a
                                                        • Opcode Fuzzy Hash: 989ed4646566f77c2ab72184739a9137b5d7eae5940c08cbaa9d6fc56a31f36c
                                                        • Instruction Fuzzy Hash: 7DD05B70D45218F7DA10EF54AC03B39BB34D707761F205261FB143E1D5D6B25920D5DA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e24509eb4154e54e63d34a257df7f67858844c9b410712c520ef3551b56a8a9a
                                                        • Instruction ID: 2a9e0740773b8b6f5e110bd1e2332ab73de667f723c53b2bed2784798aa44a4a
                                                        • Opcode Fuzzy Hash: e24509eb4154e54e63d34a257df7f67858844c9b410712c520ef3551b56a8a9a
                                                        • Instruction Fuzzy Hash: 90B01232125BD44EC1038309C423B11B7ECE300D48F090090D451C7542C14CF610C494
                                                        APIs
                                                        • GetFocus.USER32 ref: 004C3BCF
                                                        • GetWindowRect.USER32(?,?), ref: 004C3C26
                                                        • GetParent.USER32(?), ref: 004C3C36
                                                        • GetParent.USER32(?), ref: 004C3C69
                                                        • GlobalSize.KERNEL32(00000000), ref: 004C3CB3
                                                        • GlobalLock.KERNEL32(00000000), ref: 004C3CBB
                                                        • IsWindow.USER32(?), ref: 004C3CD4
                                                        • GetTopWindow.USER32(?), ref: 004C3D11
                                                        • GetWindow.USER32(00000000,00000002), ref: 004C3D2A
                                                        • SetParent.USER32(?,?), ref: 004C3D56
                                                        • SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 004C3DA1
                                                        • SendMessageA.USER32(?,00008076,00000000,00000000), ref: 004C3DB0
                                                        • GetParent.USER32(?), ref: 004C3DC3
                                                        • SendMessageA.USER32(?,00008004,00000000,00000000), ref: 004C3DDC
                                                        • GetWindowLongA.USER32(?,000000F0), ref: 004C3DE4
                                                        • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C3E14
                                                        • SendMessageA.USER32(?,0000130C,00000000,00000000), ref: 004C3E22
                                                        • IsWindow.USER32(?), ref: 004C3E6E
                                                        • GetFocus.USER32 ref: 004C3E78
                                                        • SetFocus.USER32(?,00000000), ref: 004C3E90
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 004C3E9B
                                                        • GlobalFree.KERNEL32(00000000), ref: 004C3EA2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Window$MessageSend$GlobalParent$Focus$FreeLockLongRectSizeUnlock
                                                        • String ID:
                                                        • API String ID: 300820980-0
                                                        • Opcode ID: a5e06cfc1a4b0c2b4fcf7307385b7f67ed5954e414faedcd3d11cb8bf83cb7da
                                                        • Instruction ID: a8dbba72d25d691889d15e2c3ac1096b02a44a277ded0c3e1f79c9fae5ddd12a
                                                        • Opcode Fuzzy Hash: a5e06cfc1a4b0c2b4fcf7307385b7f67ed5954e414faedcd3d11cb8bf83cb7da
                                                        • Instruction Fuzzy Hash: FFA18A75204701AFD760EF69CC88F6BB7E8BB88701F108A1DFA4297391DB78E9058B55
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(?), ref: 10029652
                                                        • LoadLibraryA.KERNEL32(?), ref: 1002965F
                                                        • wsprintfA.USER32 ref: 10029676
                                                        • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002968C
                                                          • Part of subcall function 10027B10: ExitProcess.KERNEL32 ref: 10027B25
                                                        • atoi.MSVCRT(?), ref: 100296CB
                                                        • strchr.MSVCRT ref: 10029703
                                                        • GetProcAddress.KERNEL32(00000000,00000040), ref: 10029721
                                                        • wsprintfA.USER32 ref: 10029739
                                                        • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002974F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
                                                        • String ID: DLL ERROR
                                                        • API String ID: 3187504500-4092134112
                                                        • Opcode ID: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                        • Instruction ID: 2d8d4974cead62a1b0d3c1b872151993aa02a2f76add0cb6c4d459240c98e11b
                                                        • Opcode Fuzzy Hash: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                        • Instruction Fuzzy Hash: 7E3139B26003529BE310EF74AC94F9BB7D8EB85340F904929FB09D3241EB75E919C7A5
                                                        APIs
                                                        • ??2@YAPAXI@Z.MSVCRT(?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000001), ref: 10028E9E
                                                        • strrchr.MSVCRT ref: 10028EC7
                                                        • RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 10028EE0
                                                        • ??2@YAPAXI@Z.MSVCRT ref: 10028F03
                                                        • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,80000004,00000000,00000000,00000000), ref: 10028F26
                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F34
                                                        • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F3E
                                                        • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000), ref: 10028F5B
                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F8A
                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000), ref: 10028F97
                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F9E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
                                                        • String ID:
                                                        • API String ID: 1380196384-0
                                                        • Opcode ID: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                        • Instruction ID: 11253f6a850e8c32f07a3e9f8fa5c0c7ac66a22cffc6c79301f50e11ea2e9c0e
                                                        • Opcode Fuzzy Hash: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                        • Instruction Fuzzy Hash: 304126792003055BE344DA78EC45E2B77D9EFC2660F950A2DF915C3281EE75EE0983A2
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00533932,?,Microsoft Visual C++ Runtime Library,00012010,?,007C9F0C,?,007C9F5C,?,?,?,Runtime Error!Program: ), ref: 0053AFC7
                                                        • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0053AFDF
                                                        • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0053AFF0
                                                        • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0053AFFD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$LibraryLoad
                                                        • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                        • API String ID: 2238633743-4044615076
                                                        • Opcode ID: 604af9be48b74d6b37cba5a06dcc955a4dab07b5c7217c3233dd45b2da2f4d19
                                                        • Instruction ID: 83631bafcea997934691c960369491d56e8dcc973292f11984044307f5a8ba43
                                                        • Opcode Fuzzy Hash: 604af9be48b74d6b37cba5a06dcc955a4dab07b5c7217c3233dd45b2da2f4d19
                                                        • Instruction Fuzzy Hash: D301B5716003037F97209FB5AC8CA6B3FA8B758781F04442DE255C2060DB78C856DB61
                                                        APIs
                                                        • LCMapStringW.KERNEL32(00000000,00000100,007CA19C,00000001,00000000,00000000,76F8E860,0082CD44,?,?,?,0052F4AD,?,?,?,00000000), ref: 00536D76
                                                        • LCMapStringA.KERNEL32(00000000,00000100,007CA198,00000001,00000000,00000000,?,?,0052F4AD,?,?,?,00000000,00000001), ref: 00536D92
                                                        • LCMapStringA.KERNEL32(?,?,?,0052F4AD,?,?,76F8E860,0082CD44,?,?,?,0052F4AD,?,?,?,00000000), ref: 00536DDB
                                                        • MultiByteToWideChar.KERNEL32(?,0082CD45,?,0052F4AD,00000000,00000000,76F8E860,0082CD44,?,?,?,0052F4AD,?,?,?,00000000), ref: 00536E13
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,0052F4AD,?,00000000,?,?,0052F4AD,?), ref: 00536E6B
                                                        • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0052F4AD,?), ref: 00536E81
                                                        • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0052F4AD,?), ref: 00536EB4
                                                        • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0052F4AD,?), ref: 00536F1C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: String$ByteCharMultiWide
                                                        • String ID:
                                                        • API String ID: 352835431-0
                                                        • Opcode ID: 23665512dbc1f0ee129b62cbf3537f722d825c4c217663448522a86d3a7c14c8
                                                        • Instruction ID: a17342d906475ba4ccb1d5677064555128497c3fa172171605df527d89ef9089
                                                        • Opcode Fuzzy Hash: 23665512dbc1f0ee129b62cbf3537f722d825c4c217663448522a86d3a7c14c8
                                                        • Instruction Fuzzy Hash: 90514632A00649BFCF228F94DC45EAF7FB9FB49754F248519F915A21A0D3328D24EB60
                                                        APIs
                                                        • CreatePopupMenu.USER32 ref: 004D124E
                                                        • AppendMenuA.USER32(?,?,00000000,?), ref: 004D13B1
                                                        • AppendMenuA.USER32(?,00000000,00000000,?), ref: 004D13E9
                                                        • ModifyMenuA.USER32(?,00000000,00000000,00000000,00000000), ref: 004D1407
                                                        • AppendMenuA.USER32(?,?,00000000,?), ref: 004D1465
                                                        • ModifyMenuA.USER32(?,?,?,?,?), ref: 004D148A
                                                        • AppendMenuA.USER32(?,?,?,?), ref: 004D14D2
                                                        • ModifyMenuA.USER32(?,?,?,?,?), ref: 004D14F7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Menu$Append$Modify$CreatePopup
                                                        • String ID:
                                                        • API String ID: 3846898120-0
                                                        • Opcode ID: 4252469768366250099115f08a61241e952fe1ffa5309e5116c893b2703b2250
                                                        • Instruction ID: 91493e1bdffcaf6dc66c684a410da80f2d6e80719b3538bdff69fe5517fa1f35
                                                        • Opcode Fuzzy Hash: 4252469768366250099115f08a61241e952fe1ffa5309e5116c893b2703b2250
                                                        • Instruction Fuzzy Hash: 4BD187B1A04310ABD714DF18C894A6BBBE4FF89714F04452EFC8997361D779AD01CBA6
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0053387B
                                                        • GetStdHandle.KERNEL32(000000F4,007C9F0C,00000000,00000000,00000000,?), ref: 00533951
                                                        • WriteFile.KERNEL32(00000000), ref: 00533958
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: File$HandleModuleNameWrite
                                                        • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                        • API String ID: 3784150691-4022980321
                                                        • Opcode ID: 39f9735ca91d60f41570321e6ef46a0dab1f2a023fb08d5050bddd71bcc139b6
                                                        • Instruction ID: 72515ddb0692610db4a7505e1d49e372bb292cf5a690d6a1b86e6c6776ab662d
                                                        • Opcode Fuzzy Hash: 39f9735ca91d60f41570321e6ef46a0dab1f2a023fb08d5050bddd71bcc139b6
                                                        • Instruction Fuzzy Hash: BA31A6B2A01219BFEF20DA60CC49FDA7B7CFB89740F50055EF645E6091D6B4AA44CB51
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: %I64d$%lf
                                                        • API String ID: 0-1545097854
                                                        • Opcode ID: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                        • Instruction ID: a68653634a99df22c50c27c61c92b13d05d716d03379e836d9a088690611f418
                                                        • Opcode Fuzzy Hash: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                        • Instruction Fuzzy Hash: 0F516C7A5052424BD738D524BC85AEF73C4EBC0310FE08A2EFA59D21D1DE79DE458392
                                                        APIs
                                                        • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052D78E), ref: 00533262
                                                        • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052D78E), ref: 00533276
                                                        • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052D78E), ref: 005332A2
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052D78E), ref: 005332DA
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052D78E), ref: 005332FC
                                                        • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0052D78E), ref: 00533315
                                                        • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052D78E), ref: 00533328
                                                        • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00533366
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                        • String ID:
                                                        • API String ID: 1823725401-0
                                                        • Opcode ID: 2dc31ee5f9dde6b73461f66eda9cec09d5fece40f736755a31cb8567cf034021
                                                        • Instruction ID: 8c6ccf067f4a9912778e7e44cb1990fb55bac82363fd60b951cc700d1dbe58f8
                                                        • Opcode Fuzzy Hash: 2dc31ee5f9dde6b73461f66eda9cec09d5fece40f736755a31cb8567cf034021
                                                        • Instruction Fuzzy Hash: 0931D2725082A5AFDB307FB89CC887BBF9CFA45358F254D29F546C3151EE218E85C2A1
                                                        APIs
                                                        • IsWindow.USER32(?), ref: 004C036D
                                                        • GetParent.USER32(?), ref: 004C037F
                                                        • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C03A7
                                                        • GetWindowRect.USER32(?,?), ref: 004C0431
                                                        • InvalidateRect.USER32(?,?,00000001,?), ref: 004C0454
                                                        • GetWindowRect.USER32(?,?), ref: 004C061C
                                                        • InvalidateRect.USER32(?,?,00000001,?), ref: 004C063D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Rect$Window$Invalidate$MessageParentSend
                                                        • String ID:
                                                        • API String ID: 236041146-0
                                                        • Opcode ID: 81d391b1a723e09b9c18cc64043a067ec70dd673582f5b40f8d30b79793eff16
                                                        • Instruction ID: 4b688611f461f8368dac4805b52eac4689abec9f88679de377be81876f2b3777
                                                        • Opcode Fuzzy Hash: 81d391b1a723e09b9c18cc64043a067ec70dd673582f5b40f8d30b79793eff16
                                                        • Instruction Fuzzy Hash: AD910435A003119BCB64EF24C855FAB77E8AF84758F08061DFD459B391EB38ED058B99
                                                        APIs
                                                        • GetStringTypeW.KERNEL32(00000001,007CA19C,00000001,?,76F8E860,0082CD44,?,?,0052F4AD,?,?,?,00000000,00000001), ref: 0053A547
                                                        • GetStringTypeA.KERNEL32(00000000,00000001,007CA198,00000001,?,?,0052F4AD,?,?,?,00000000,00000001), ref: 0053A561
                                                        • GetStringTypeA.KERNEL32(?,?,?,?,0052F4AD,76F8E860,0082CD44,?,?,0052F4AD,?,?,?,00000000,00000001), ref: 0053A595
                                                        • MultiByteToWideChar.KERNEL32(?,0082CD45,?,?,00000000,00000000,76F8E860,0082CD44,?,?,0052F4AD,?,?,?,00000000,00000001), ref: 0053A5CD
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0052F4AD,?), ref: 0053A623
                                                        • GetStringTypeW.KERNEL32(?,?,00000000,0052F4AD,?,?,?,?,?,?,0052F4AD,?), ref: 0053A635
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: StringType$ByteCharMultiWide
                                                        • String ID:
                                                        • API String ID: 3852931651-0
                                                        • Opcode ID: b82b0b397491a525da78d297f98bfb768413547d44694bdd85a965ef04cf11ec
                                                        • Instruction ID: 4b871046686aa4e8ec8d6391d9ae35cc721373a51036e5664877b65ab473ea0f
                                                        • Opcode Fuzzy Hash: b82b0b397491a525da78d297f98bfb768413547d44694bdd85a965ef04cf11ec
                                                        • Instruction Fuzzy Hash: 4541AD72A00219EFCF218F94DC86EAF3F79FB18751F144929F952E61A0D3318951DBA2
                                                        APIs
                                                        • TlsGetValue.KERNEL32(00828A84,00828A74,00000000,?,00828A84,?,005497E7,00828A74,00000000,?,00000000,005491FE,00548AED,0054921A,00544621,005458C6), ref: 0054958A
                                                        • EnterCriticalSection.KERNEL32(00828AA0,00000010,?,00828A84,?,005497E7,00828A74,00000000,?,00000000,005491FE,00548AED,0054921A,00544621,005458C6), ref: 005495D9
                                                        • LeaveCriticalSection.KERNEL32(00828AA0,00000000,?,00828A84,?,005497E7,00828A74,00000000,?,00000000,005491FE,00548AED,0054921A,00544621,005458C6), ref: 005495EC
                                                        • LocalAlloc.KERNEL32(00000000,00000004,?,00828A84,?,005497E7,00828A74,00000000,?,00000000,005491FE,00548AED,0054921A,00544621,005458C6), ref: 00549602
                                                        • LocalReAlloc.KERNEL32(?,00000004,00000002,?,00828A84,?,005497E7,00828A74,00000000,?,00000000,005491FE,00548AED,0054921A,00544621,005458C6), ref: 00549614
                                                        • TlsSetValue.KERNEL32(00828A84,00000000), ref: 00549650
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: AllocCriticalLocalSectionValue$EnterLeave
                                                        • String ID:
                                                        • API String ID: 4117633390-0
                                                        • Opcode ID: 09c08a3a4eb80fab8db2f2d42db08bcd85555a3e9850e7eec76cd9f337a95e60
                                                        • Instruction ID: a7d4a0411247d9e6807448b3e7392d0ea296d93a679dda7803eac46a40298901
                                                        • Opcode Fuzzy Hash: 09c08a3a4eb80fab8db2f2d42db08bcd85555a3e9850e7eec76cd9f337a95e60
                                                        • Instruction Fuzzy Hash: 87319C71100605EFDB24CF25D89AFABBBB8FF45365F008518E416C7680DB70E809CB61
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A0D4
                                                          • Part of subcall function 0054A1C0: lstrlenA.KERNEL32(00000104,00000000,?,0054A104), ref: 0054A1F7
                                                        • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A175
                                                        • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A1A2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: FileModuleNamelstrcatlstrcpylstrlen
                                                        • String ID: .HLP$.INI
                                                        • API String ID: 2421895198-3011182340
                                                        • Opcode ID: fb49887c37ddf0ed12a10b4492493638add2dc4591c4057a0a5c557e31854f7d
                                                        • Instruction ID: bca0d6cf56b7b712b634b80d4d1d1d7112b3351e13c35864bc9ba09b7c264cf1
                                                        • Opcode Fuzzy Hash: fb49887c37ddf0ed12a10b4492493638add2dc4591c4057a0a5c557e31854f7d
                                                        • Instruction Fuzzy Hash: B23170B6944719AFDB61DB70D889BC6BBFCFB04314F10496AE199D3151EB70A984CB10
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4c36edf7d12d1314a1372e16590304161adf48fd620d786af74f75f48fd59d46
                                                        • Instruction ID: be20e0895d428c32d52cb7b0394377f42a385b24d5d24aefee517c605bd2803a
                                                        • Opcode Fuzzy Hash: 4c36edf7d12d1314a1372e16590304161adf48fd620d786af74f75f48fd59d46
                                                        • Instruction Fuzzy Hash: F6C1C675904602AFC350DF24D881EAFB7E9EF94348F44492EF84697351E738F9068BA6
                                                        APIs
                                                        • GetStartupInfoA.KERNEL32(?), ref: 005333D7
                                                        • GetFileType.KERNEL32(?,?,00000000), ref: 00533482
                                                        • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 005334E5
                                                        • GetFileType.KERNEL32(00000000,?,00000000), ref: 005334F3
                                                        • SetHandleCount.KERNEL32 ref: 0053352A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: FileHandleType$CountInfoStartup
                                                        • String ID:
                                                        • API String ID: 1710529072-0
                                                        • Opcode ID: d6e37824fc1fcd17a0ba4b0e5ba39c154400018abfcd94fd87971b40fcb334b9
                                                        • Instruction ID: 58de3ddd0e2e92e51d2a0d253fc6a8bed5239909a434a31a5e8bb727088a362d
                                                        • Opcode Fuzzy Hash: d6e37824fc1fcd17a0ba4b0e5ba39c154400018abfcd94fd87971b40fcb334b9
                                                        • Instruction Fuzzy Hash: A15102319042118FCB21CF78D89CA697FE0BF51328F298B68D5A2CB2E1D731DA4AD750
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Menu$Destroy$AcceleratorTableWindow
                                                        • String ID:
                                                        • API String ID: 1240299919-0
                                                        • Opcode ID: 9b1d58f53bbe6370dbf0b6d65112e3aea7c1c26efba9697c471bf99ff4dec6e5
                                                        • Instruction ID: e8fca324fd41ac75f5667996a263c3a063f1a6c87b33762e55e35c0cab08daa7
                                                        • Opcode Fuzzy Hash: 9b1d58f53bbe6370dbf0b6d65112e3aea7c1c26efba9697c471bf99ff4dec6e5
                                                        • Instruction Fuzzy Hash: 7C31D8B5600306AFC720EF65DC44EAB77A9EF84355F06852DFD0597252EA38E809CBB0
                                                        APIs
                                                        • GetLastError.KERNEL32(00000103,7FFFFFFF,0052FAA2,005323B7,00000000,?,?,00000000,00000001), ref: 0053359E
                                                        • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 005335AC
                                                        • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 005335F8
                                                          • Part of subcall function 0052FE96: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,005335C1,00000001,00000074,?,?,00000000,00000001), ref: 0052FF8C
                                                        • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 005335D0
                                                        • GetCurrentThreadId.KERNEL32 ref: 005335E1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                        • String ID:
                                                        • API String ID: 2020098873-0
                                                        • Opcode ID: bc7cd2e637902eaac407db08a1f109314cb19395c12542a2cb2172fe85cf5b20
                                                        • Instruction ID: 438d8a4e05a95baa21e12208a53bddc31b6c13d54156d796b313c472ae853cc2
                                                        • Opcode Fuzzy Hash: bc7cd2e637902eaac407db08a1f109314cb19395c12542a2cb2172fe85cf5b20
                                                        • Instruction Fuzzy Hash: E2F09036601722ABD7322B70BC1E6593F64FF517B3F214629F581DA1E0CF248A4596A1
                                                        APIs
                                                        • wsprintfA.USER32 ref: 10027B78
                                                        • MessageBoxA.USER32(00000000,?,error,00000010), ref: 10027B8F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Messagewsprintf
                                                        • String ID: error$program internal error number is %d. %s
                                                        • API String ID: 300413163-3752934751
                                                        • Opcode ID: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                        • Instruction ID: e1549d366f44cd83cf328da68a9c66535f66093051f9031b2c984319b6cde580
                                                        • Opcode Fuzzy Hash: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                        • Instruction Fuzzy Hash: B9E092755002006BE344EBA4ECAAFAA33A8E708701FC0085EF34981180EBB1A9548616
                                                        APIs
                                                        • HeapAlloc.KERNEL32(00000000,00002020,007EADD0,007EADD0,?,?,00538058,00000000,00000010,00000000,00000009,00000009,?,0052F0E1,00000010,00000000), ref: 00537BAD
                                                        • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00538058,00000000,00000010,00000000,00000009,00000009,?,0052F0E1,00000010,00000000), ref: 00537BD1
                                                        • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00538058,00000000,00000010,00000000,00000009,00000009,?,0052F0E1,00000010,00000000), ref: 00537BEB
                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00538058,00000000,00000010,00000000,00000009,00000009,?,0052F0E1,00000010,00000000,?), ref: 00537CAC
                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,00538058,00000000,00000010,00000000,00000009,00000009,?,0052F0E1,00000010,00000000,?,00000000), ref: 00537CC3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual$FreeHeap
                                                        • String ID:
                                                        • API String ID: 714016831-0
                                                        • Opcode ID: be17aa462f055b61432a0e776fc9fac0b8f745695e918528d87bf5a2ab635a17
                                                        • Instruction ID: 1512858f030f1cc50898cefec8b6d809c31302b4ce8c375ac6474d5aef16df46
                                                        • Opcode Fuzzy Hash: be17aa462f055b61432a0e776fc9fac0b8f745695e918528d87bf5a2ab635a17
                                                        • Instruction Fuzzy Hash: B03122B0A4170EAFD330CF24EC44B21BBE0FB88756F108A39E4559B690E738AC40DB49
                                                        APIs
                                                        • IsWindow.USER32(00000000), ref: 004C25E4
                                                        • GetParent.USER32(00000000), ref: 004C2634
                                                        • IsWindow.USER32(?), ref: 004C2654
                                                        • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 004C26CF
                                                          • Part of subcall function 00543C8A: ShowWindow.USER32(?,?,004C064C,00000000), ref: 00543C98
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Window$ParentShow
                                                        • String ID:
                                                        • API String ID: 2052805569-0
                                                        • Opcode ID: 1b81bce4c9786c850dedb856b074b5a48fab155c1fc0002ee67d46a371345eb3
                                                        • Instruction ID: 8ac86f44b0dfbc81cd7dff368f2bdedc3af9632bde344600e6b833a7384d89f0
                                                        • Opcode Fuzzy Hash: 1b81bce4c9786c850dedb856b074b5a48fab155c1fc0002ee67d46a371345eb3
                                                        • Instruction Fuzzy Hash: E941AD7A700301ABD760DE259E81FABB398AF84754F04052EFD449B381D7F8ED048BA9
                                                        APIs
                                                        • malloc.MSVCRT ref: 10029FB3
                                                        • LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,?,?,000009DC,00000000,?,10028774,00000001,?), ref: 10029FE7
                                                        • free.MSVCRT ref: 10029FF6
                                                        • free.MSVCRT ref: 1002A014
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: free$Stringmalloc
                                                        • String ID:
                                                        • API String ID: 3576809655-0
                                                        • Opcode ID: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                        • Instruction ID: fe1f6c240ce4a888f48c4ee73cb5f64fbc811d22bf13276520b53d25543597c8
                                                        • Opcode Fuzzy Hash: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                        • Instruction Fuzzy Hash: 2311D27A2042042BD348DA78AC45E7BB3D9DBC5265FA0463EF226D22C1EE71ED094365
                                                        APIs
                                                        • GetVersion.KERNEL32 ref: 0052D71E
                                                          • Part of subcall function 00533778: HeapCreate.KERNEL32(00000000,00001000,00000000,0052D756,00000001), ref: 00533789
                                                          • Part of subcall function 00533778: HeapDestroy.KERNEL32 ref: 005337C8
                                                        • GetCommandLineA.KERNEL32 ref: 0052D77E
                                                        • GetStartupInfoA.KERNEL32(?), ref: 0052D7A9
                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0052D7CC
                                                          • Part of subcall function 0052D825: ExitProcess.KERNEL32 ref: 0052D842
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                        • String ID:
                                                        • API String ID: 2057626494-0
                                                        • Opcode ID: a9d3cb18c2b0d4bc339142cb5379fc00e6153457ac4b2cd76e06d38325266801
                                                        • Instruction ID: a300a1a9f8e61b3cd7f203f117430a3f505f1bf0aed6d603872cb569d37a6f3d
                                                        • Opcode Fuzzy Hash: a9d3cb18c2b0d4bc339142cb5379fc00e6153457ac4b2cd76e06d38325266801
                                                        • Instruction Fuzzy Hash: B121A2B1840756EEDB18AFB4EC4AB6E7FB8FF44B10F144519F8019A2A1DB748941CB60
                                                        APIs
                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000020,00000000,00000000,00000000,80000005), ref: 10028DC8
                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9), ref: 10028E07
                                                        • CloseHandle.KERNEL32(00000000,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E1A
                                                        • CloseHandle.KERNEL32(00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E35
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2632390017.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: CloseFileHandle$CreateWrite
                                                        • String ID:
                                                        • API String ID: 3602564925-0
                                                        • Opcode ID: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                        • Instruction ID: f6076fed0b983a52129b8cb4bf2c1cdfe7202da6017c1e667b93af5c44e6f27f
                                                        • Opcode Fuzzy Hash: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                        • Instruction Fuzzy Hash: 39118E36201301ABE710DF18ECC5F6BB7E8FB84714F550919FA6497290D370E90E8B66
                                                        APIs
                                                        • GetCPInfo.KERNEL32(?,00000000), ref: 00532903
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Info
                                                        • String ID: $
                                                        • API String ID: 1807457897-3032137957
                                                        • Opcode ID: 8c1aaf76b25d6f05240ea32e0cbc6f725ae848651f37e42dfbfab02a40d5dc74
                                                        • Instruction ID: de92fe829f0f1edb44424a76e541e6a8fc962380dae01e6f80e4342a2145f488
                                                        • Opcode Fuzzy Hash: 8c1aaf76b25d6f05240ea32e0cbc6f725ae848651f37e42dfbfab02a40d5dc74
                                                        • Instruction Fuzzy Hash: BC4148311047985FEB229724DD59BFB7FA9FB05700F1404E5E68ADB1A3C2F18A44DBA2
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00545966
                                                          • Part of subcall function 005452CB: __EH_prolog.LIBCMT ref: 005452D0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: H_prolog
                                                        • String ID: V5 $x|
                                                        • API String ID: 3519838083-3630372689
                                                        • Opcode ID: 555ab13e2bbad6c2cdc8b8d1ea9823813a41a07655c1732318872c572c2091ed
                                                        • Instruction ID: cba2a82ca3d7b513f2792b4cccc879df71892ef8a09cf04e0403c2182225a4f9
                                                        • Opcode Fuzzy Hash: 555ab13e2bbad6c2cdc8b8d1ea9823813a41a07655c1732318872c572c2091ed
                                                        • Instruction Fuzzy Hash: 0FF0C871A44B01EBDB25AF64844FBDD7BF0BB44368F10852EB502A71C2DB748A04CB14
                                                        APIs
                                                        • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,005374B2,00000000,00000000,00000000,0052F083,00000000,00000000,?,00000000,00000000,00000000), ref: 00537712
                                                        • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,005374B2,00000000,00000000,00000000,0052F083,00000000,00000000,?,00000000,00000000,00000000), ref: 00537746
                                                        • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00537760
                                                        • HeapFree.KERNEL32(00000000,?), ref: 00537777
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: AllocHeap$FreeVirtual
                                                        • String ID:
                                                        • API String ID: 3499195154-0
                                                        • Opcode ID: 08594dd17b18ef06082ac5740638665e31d113129a95d4f8ea61ba918e90c519
                                                        • Instruction ID: 6e6c8bc331cad8672b451f52f58439a2b3a277a77febbd8b84755b904e484f80
                                                        • Opcode Fuzzy Hash: 08594dd17b18ef06082ac5740638665e31d113129a95d4f8ea61ba918e90c519
                                                        • Instruction Fuzzy Hash: 53113670640741AFC7318F19EC8593A7FB6FB997A1B208A29F162D65B0C371A846DF40
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(00828C38,?,00000000,?,?,0054982D,00000010,?,00000000,?,?,?,00549214,00549277,00548AED,0054921A), ref: 0054A4F7
                                                        • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0054982D,00000010,?,00000000,?,?,?,00549214,00549277,00548AED,0054921A), ref: 0054A509
                                                        • LeaveCriticalSection.KERNEL32(00828C38,?,00000000,?,?,0054982D,00000010,?,00000000,?,?,?,00549214,00549277,00548AED,0054921A), ref: 0054A512
                                                        • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0054982D,00000010,?,00000000,?,?,?,00549214,00549277,00548AED,0054921A,00544621), ref: 0054A524
                                                          • Part of subcall function 0054A429: GetVersion.KERNEL32(?,0054A4CC,?,0054982D,00000010,?,00000000,?,?,?,00549214,00549277,00548AED,0054921A,00544621,005458C6), ref: 0054A43C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$Enter$InitializeLeaveVersion
                                                        • String ID:
                                                        • API String ID: 1193629340-0
                                                        • Opcode ID: eeb8bb5024f9acf617f97ddcae4ce853d8abeed9d9bbde64eb01bfc1e8be555a
                                                        • Instruction ID: 66a79f6d3ff27fe97ba174377005ca2acb28d143e90104df70ef8b62568763b0
                                                        • Opcode Fuzzy Hash: eeb8bb5024f9acf617f97ddcae4ce853d8abeed9d9bbde64eb01bfc1e8be555a
                                                        • Instruction Fuzzy Hash: 4DF0C83544330ADFCF60DF94FC98996B76CFB7031BB00442AE20583061EB30A44BCAA1
                                                        APIs
                                                        • InitializeCriticalSection.KERNEL32(?,0053353B,?,0052D768), ref: 00535E18
                                                        • InitializeCriticalSection.KERNEL32(?,0053353B,?,0052D768), ref: 00535E20
                                                        • InitializeCriticalSection.KERNEL32(?,0053353B,?,0052D768), ref: 00535E28
                                                        • InitializeCriticalSection.KERNEL32(?,0053353B,?,0052D768), ref: 00535E30
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2627974277.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2627956431.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628091765.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628412742.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628432669.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628469899.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628498925.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628584144.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628616973.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628645615.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628686210.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2628936966.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: CriticalInitializeSection
                                                        • String ID:
                                                        • API String ID: 32694325-0
                                                        • Opcode ID: b47d094a598671442320a0e7a37f87d8b3c70ec60b0162c471f1b67a473be826
                                                        • Instruction ID: f09b7e46a3944a21f6efb323c7c42375265d9e7b4a21461fe96da00fa37f67c0
                                                        • Opcode Fuzzy Hash: b47d094a598671442320a0e7a37f87d8b3c70ec60b0162c471f1b67a473be826
                                                        • Instruction Fuzzy Hash: 71C002719021B4FBCA512B55FE89C463F67EB1C261301C077A1045D470862E2C50EFD6

                                                        Execution Graph

                                                        Execution Coverage:6.7%
                                                        Dynamic/Decrypted Code Coverage:52.4%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:679
                                                        Total number of Limit Nodes:22
                                                        execution_graph 22132 10027c00 GetProcessHeap HeapReAlloc HeapAlloc 22135 10027008 6 API calls 22136 10029610 FreeLibrary 22200 10026f15 21 API calls 22139 10027218 30 API calls 22140 10026c1e 22 API calls 22141 1001221f 70 API calls 22145 10026e2e 34 API calls 22205 10026f34 34 API calls 22206 530564 RtlUnwind 22207 10026d35 85 API calls 22150 100249fb 24 API calls 22151 4cc670 70 API calls 22152 10026c3d 21 API calls 21315 10027c40 21316 10027c86 21315->21316 21317 10027c4d 21315->21317 21318 10027c56 21317->21318 21319 10027c5b 21317->21319 21323 10027ae0 GetModuleHandleA 21318->21323 21319->21316 21321 10027c6b IsBadReadPtr 21319->21321 21321->21316 21322 10027c78 RtlFreeHeap 21321->21322 21322->21316 21323->21319 21736 53f61b 21739 52ef0e 21736->21739 21740 52efe8 21739->21740 21741 52ef3c 21739->21741 21742 52ef81 21741->21742 21743 52ef46 21741->21743 21754 52ef72 21742->21754 21759 535e34 29 API calls 21742->21759 21756 535e34 29 API calls 21743->21756 21745 52efda RtlFreeHeap 21745->21740 21747 52ef4d 21748 52ef67 21747->21748 21757 5370b8 VirtualFree VirtualFree HeapFree 21747->21757 21758 52ef78 LeaveCriticalSection 21748->21758 21751 52efb9 21761 52efd0 LeaveCriticalSection 21751->21761 21752 52ef8d 21752->21751 21760 537e3f VirtualFree HeapFree VirtualFree 21752->21760 21754->21740 21754->21745 21756->21747 21757->21748 21758->21754 21759->21752 21760->21751 21761->21754 21324 10027a50 21325 10027a61 21324->21325 21326 10027a8a 21324->21326 21325->21326 21327 10027a64 21325->21327 21342 10026b52 ReleaseMutex 21326->21342 21336 10027aa0 GetProcessHeap 21327->21336 21330 10027a9b 21335 10027a85 21337 10027a6f 21336->21337 21338 10029790 21337->21338 21343 10027474 21338->21343 21341 10026b52 ReleaseMutex 21341->21335 21342->21330 21344 1002747c 21343->21344 21347 10018a96 21344->21347 21346 10027481 21346->21341 21348 10018aab 21347->21348 21351 10018ad3 21348->21351 21350 10018ab0 21350->21346 21352 10018aee 21351->21352 21398 10018eea CreateMutexA 21352->21398 21354 10018af3 21355 10018eea CreateMutexA 21354->21355 21356 10018afd HeapCreate 21355->21356 21357 10018b23 21356->21357 21358 10018b3a HeapCreate 21356->21358 21357->21358 21359 10018b60 21358->21359 21400 1000188f 21359->21400 21361 10018bc0 21406 1000b61e 21361->21406 21363 10018bdc 21364 1000188f 17 API calls 21363->21364 21365 10018c3b 21364->21365 21366 1000b61e 7 API calls 21365->21366 21367 10018c57 21366->21367 21368 1000188f 17 API calls 21367->21368 21369 10018cb6 21368->21369 21370 1000b61e 7 API calls 21369->21370 21371 10018cd2 21370->21371 21372 1000188f 17 API calls 21371->21372 21373 10018d31 21372->21373 21374 1000b61e 7 API calls 21373->21374 21375 10018d4d 21374->21375 21376 1000188f 17 API calls 21375->21376 21377 10018dac 21376->21377 21378 1000b61e 7 API calls 21377->21378 21379 10018dc8 21378->21379 21412 1000710e 21379->21412 21381 10018df2 21422 10018f34 21381->21422 21383 10018dfc 21436 100191e3 21383->21436 21385 10018e06 21448 1000ff10 21385->21448 21387 10018e37 21457 100114f9 21387->21457 21389 10018e43 21390 1000ff10 18 API calls 21389->21390 21391 10018e8f 21390->21391 21392 100114f9 18 API calls 21391->21392 21393 10018e9b 21392->21393 21463 10019f4c 21393->21463 21397 10018ecc 21397->21350 21399 10018f14 21398->21399 21399->21354 21405 100018bd 21400->21405 21401 10001ac2 21474 100283f0 21401->21474 21404 10001ae8 21404->21361 21405->21401 21501 10028090 _CIfmod 21405->21501 21407 1000b631 21406->21407 21513 1000b75c 21407->21513 21409 1000b65c 21410 1000b6cb LdrGetDllHandleEx 21409->21410 21411 1000b6ee 21410->21411 21411->21363 21413 10007121 21412->21413 21414 100071de GetVersionExA 21413->21414 21415 10007273 21414->21415 21536 10027ca0 21415->21536 21417 100072d2 21418 10007362 GetSystemInfo 21417->21418 21421 100074c6 21417->21421 21419 100073f5 21418->21419 21420 10007495 RtlGetNtVersionNumbers 21419->21420 21420->21421 21421->21381 21423 10018f4e 21422->21423 21425 10018f7e 21423->21425 21544 100289c0 21423->21544 21425->21383 21426 10018fad 21427 1000b61e 7 API calls 21426->21427 21428 10019053 21427->21428 21429 1000188f 17 API calls 21428->21429 21430 10019077 21429->21430 21431 10019081 21430->21431 21549 10006051 LdrGetProcedureAddress 21431->21549 21433 1001918a 21433->21425 21434 100190a4 21434->21433 21550 10001d56 IsBadCodePtr 21434->21550 21437 10019205 21436->21437 21439 10019212 21437->21439 21552 100188e1 21437->21552 21439->21385 21440 10019221 21557 100193c2 21440->21557 21442 100192bd 21443 100193c2 38 API calls 21442->21443 21444 10019331 21443->21444 21577 100198cc 21444->21577 21446 1001936a 21447 100198cc 25 API calls 21446->21447 21447->21439 21618 10027f20 21448->21618 21450 1000ff39 21451 10027f20 4 API calls 21450->21451 21452 1000ff58 21451->21452 21453 1000ffe0 RtlComputeCrc32 21452->21453 21454 10010003 21453->21454 21631 10010057 21454->21631 21456 10010034 21456->21387 21458 1001150f 21457->21458 21462 10011520 21457->21462 21459 1000188f 17 API calls 21458->21459 21459->21462 21460 10001d56 IsBadCodePtr 21461 1001161a 21460->21461 21461->21389 21462->21460 21464 10018ec7 21463->21464 21465 10019f74 21463->21465 21473 1001a236 47 API calls 21464->21473 21654 10019ff3 21465->21654 21469 10019fd3 21663 10007fdd 21469->21663 21471 10019fa2 21471->21469 21472 1001a0ce 21 API calls 21471->21472 21472->21471 21473->21397 21475 10028478 21474->21475 21476 1002840f 21474->21476 21477 10028483 21475->21477 21478 10028574 21475->21478 21500 10028674 21476->21500 21502 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21476->21502 21479 10028489 21477->21479 21480 1002854f sprintf 21477->21480 21481 100285f2 21478->21481 21482 1002857b 21478->21482 21487 10028517 21479->21487 21488 100284f9 21479->21488 21489 1002858f sprintf 21479->21489 21493 1002849e 21479->21493 21479->21500 21480->21493 21485 1002862a sprintf 21481->21485 21486 100285f9 21481->21486 21483 100285ce sprintf 21482->21483 21484 1002857d 21482->21484 21483->21493 21490 10028584 21484->21490 21491 100285ae sprintf 21484->21491 21485->21493 21492 10028604 sprintf 21486->21492 21486->21500 21504 10029dc0 6 API calls 21487->21504 21503 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21488->21503 21489->21493 21490->21489 21490->21500 21491->21493 21492->21493 21493->21500 21505 10027bb0 21493->21505 21497 10028469 21497->21404 21498 10028508 21498->21404 21500->21404 21501->21405 21502->21497 21503->21498 21504->21493 21506 10027bc4 RtlAllocateHeap 21505->21506 21507 10027bb9 GetProcessHeap 21505->21507 21508 10027bf5 21506->21508 21509 10027bd9 MessageBoxA 21506->21509 21507->21506 21508->21500 21512 10027b10 ExitProcess 21509->21512 21511 10027bf2 21511->21508 21512->21511 21514 1000b76f 21513->21514 21517 1000210d 21514->21517 21516 1000b7c1 21516->21409 21518 1000212e 21517->21518 21519 10002149 MultiByteToWideChar 21518->21519 21520 10002178 21519->21520 21528 100021b9 21520->21528 21529 100280c0 21520->21529 21522 100021dc 21523 1000220e MultiByteToWideChar 21522->21523 21524 10002239 21523->21524 21524->21528 21534 100286c0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21524->21534 21526 100022ce 21526->21528 21535 100286f0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21526->21535 21528->21516 21530 100280c9 21529->21530 21531 100280cd 21529->21531 21530->21522 21532 10027bb0 4 API calls 21531->21532 21533 100280d6 21532->21533 21533->21522 21534->21526 21535->21528 21537 10027cb1 21536->21537 21540 10027cb6 21536->21540 21543 10027ae0 GetModuleHandleA 21537->21543 21539 10027d14 21539->21417 21540->21539 21541 10027bb0 4 API calls 21540->21541 21542 10027cf9 21541->21542 21542->21417 21543->21540 21545 100289c9 21544->21545 21546 100289cd 21544->21546 21545->21426 21547 10027bb0 4 API calls 21546->21547 21548 100289d8 21547->21548 21548->21426 21549->21434 21551 10001d82 21550->21551 21551->21433 21553 100289c0 4 API calls 21552->21553 21554 1001890c 21553->21554 21555 10018926 GetSystemDirectoryA 21554->21555 21556 10018944 21555->21556 21556->21440 21558 100193ea 21557->21558 21592 100294c0 21558->21592 21560 10019463 21561 1001947d CopyFileA 21560->21561 21562 100194a0 21561->21562 21599 10028d40 CreateFileA 21562->21599 21564 100194da 21565 10028d40 8 API calls 21564->21565 21566 10019550 21564->21566 21565->21566 21604 10028e50 DeleteFileA 21566->21604 21568 1001959d 21605 10006495 21568->21605 21570 100195b3 21571 100195e3 RtlAllocateHeap 21570->21571 21574 10019832 21570->21574 21572 1001960e 21571->21572 21611 10008edd 26 API calls 21572->21611 21574->21442 21576 1001966e 21612 100094fb 26 API calls 21576->21612 21578 1001996d 21577->21578 21613 10019e6e 23 API calls 21578->21613 21580 10019977 21614 10019e6e 23 API calls 21580->21614 21582 100199e4 21615 10019e6e 23 API calls 21582->21615 21584 10019a2e 21616 10019e6e 23 API calls 21584->21616 21586 10019e55 21586->21446 21587 10019afa lstrlen 21591 10019a78 21587->21591 21589 10027ca0 GetModuleHandleA ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21589->21591 21590 10019e6e 23 API calls 21590->21591 21591->21586 21591->21587 21591->21589 21591->21590 21617 1000b48d ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21591->21617 21593 100294d1 GetTempPathA 21592->21593 21594 100294e5 21592->21594 21593->21594 21595 10029543 GetTickCount wsprintfA PathFileExistsA 21594->21595 21595->21595 21596 1002956b 21595->21596 21597 10027bb0 4 API calls 21596->21597 21598 1002957f 21597->21598 21598->21560 21600 10028d64 GetFileSize 21599->21600 21601 10028da9 21599->21601 21602 10027bb0 4 API calls 21600->21602 21601->21564 21603 10028d7d ReadFile CloseHandle 21602->21603 21603->21601 21604->21568 21606 100064ad 21605->21606 21607 1000652f RtlMoveMemory 21606->21607 21610 1000679e 21606->21610 21608 10006669 21607->21608 21609 10027ca0 5 API calls 21608->21609 21609->21610 21610->21570 21611->21576 21612->21574 21613->21580 21614->21582 21615->21584 21616->21591 21617->21591 21619 10027f40 21618->21619 21621 10027f80 21619->21621 21622 10027f4c 21619->21622 21620 10027feb 21620->21450 21621->21620 21623 10027fc2 21621->21623 21624 10027f9b 21621->21624 21639 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21622->21639 21641 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21623->21641 21640 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21624->21640 21627 10027fb8 21627->21450 21628 10027f76 21628->21450 21630 10027fe1 21630->21450 21632 1001006f 21631->21632 21633 100283f0 16 API calls 21632->21633 21634 10010097 21633->21634 21642 10028ad0 21634->21642 21636 100100cc 21649 10028b30 21636->21649 21638 10010173 21638->21456 21639->21628 21640->21627 21641->21630 21643 10028b23 21642->21643 21644 10028ae4 21642->21644 21643->21636 21644->21643 21645 10027bb0 4 API calls 21644->21645 21646 10028afa 21645->21646 21647 10028b05 strncpy 21646->21647 21648 10028b19 21646->21648 21647->21647 21647->21648 21648->21636 21650 10028b91 21649->21650 21651 10028b45 21649->21651 21650->21638 21651->21650 21652 10027bb0 4 API calls 21651->21652 21653 10028b68 21652->21653 21653->21638 21655 1001a00d 21654->21655 21668 1001a031 21655->21668 21658 1001a0ce 21659 10027f20 4 API calls 21658->21659 21660 1001a0f7 21659->21660 21683 1001a199 21660->21683 21662 1001a16d 21662->21471 21664 100280c0 4 API calls 21663->21664 21665 1000800f 21664->21665 21694 10007db8 21665->21694 21667 10008052 21667->21464 21669 1001a047 21668->21669 21677 1001a0a1 21668->21677 21670 1000188f 17 API calls 21669->21670 21672 1001a058 21670->21672 21682 100031b3 6 API calls 21672->21682 21673 10019f88 21673->21464 21673->21658 21675 1001a074 21676 1001a087 InterlockedExchange 21675->21676 21676->21677 21678 10004b1b 21677->21678 21679 10004b3d 21678->21679 21681 10004b2e 21678->21681 21679->21679 21680 10004baa LdrInitializeThunk 21679->21680 21679->21681 21680->21673 21681->21673 21682->21675 21684 1001a1af 21683->21684 21692 1001a209 21683->21692 21686 1000188f 17 API calls 21684->21686 21685 10004b1b LdrInitializeThunk 21687 1001a22b 21685->21687 21688 1001a1c0 21686->21688 21687->21662 21693 100031b3 6 API calls 21688->21693 21690 1001a1dc 21691 1001a1ef InterlockedExchange 21690->21691 21691->21692 21692->21685 21693->21690 21695 10007dce 21694->21695 21696 10007e28 21694->21696 21697 1000188f 17 API calls 21695->21697 21698 10004b1b LdrInitializeThunk 21696->21698 21699 10007ddf 21697->21699 21700 10007e4a 21698->21700 21704 100031b3 6 API calls 21699->21704 21700->21667 21702 10007dfb 21703 10007e0e InterlockedExchange 21702->21703 21703->21696 21704->21702 22156 10027050 62 API calls 22212 10011753 DispatchMessageA CallWindowProcA 22161 1002706f 46 API calls 22218 10026d73 88 API calls 22219 10026b71 23 API calls 22221 1002572d 23 API calls 22163 10026c7b HeapAlloc 22223 10026f7c 45 API calls 22166 1002708e 33 API calls 22227 10027192 59 API calls 22230 10026f9b 23 API calls 22169 10026e99 89 API calls 21705 52eff7 21708 52f009 21705->21708 21709 52f006 21708->21709 21711 52f010 21708->21711 21711->21709 21712 52f035 21711->21712 21713 52f062 21712->21713 21715 52f0a5 21712->21715 21719 52f090 21713->21719 21730 535e34 29 API calls 21713->21730 21718 52f0c7 21715->21718 21715->21719 21716 52f078 21731 5373e1 HeapReAlloc HeapAlloc VirtualAlloc HeapFree VirtualAlloc 21716->21731 21717 52f114 RtlAllocateHeap 21727 52f097 21717->21727 21733 535e34 29 API calls 21718->21733 21719->21717 21719->21727 21722 52f083 21732 52f09c LeaveCriticalSection 21722->21732 21723 52f0ce 21734 537e84 6 API calls 21723->21734 21726 52f0e1 21735 52f0fb LeaveCriticalSection 21726->21735 21727->21711 21729 52f0ee 21729->21719 21729->21727 21730->21716 21731->21722 21732->21719 21733->21723 21734->21726 21735->21729 21762 52d6f8 GetVersion 21794 533778 HeapCreate 21762->21794 21764 52d756 21765 52d763 21764->21765 21766 52d75b 21764->21766 21806 533535 37 API calls 21765->21806 21814 52d825 8 API calls 21766->21814 21770 52d768 21771 52d774 21770->21771 21772 52d76c 21770->21772 21807 533379 34 API calls 21771->21807 21815 52d825 8 API calls 21772->21815 21776 52d77e GetCommandLineA 21808 533247 37 API calls 21776->21808 21778 52d78e 21816 532ffa 49 API calls 21778->21816 21780 52d798 21809 532f41 48 API calls 21780->21809 21782 52d79d 21783 52d7a2 GetStartupInfoA 21782->21783 21810 532ee9 48 API calls 21783->21810 21785 52d7b4 21786 52d7bd 21785->21786 21787 52d7c6 GetModuleHandleA 21786->21787 21811 53d05e 21787->21811 21791 52d7e1 21818 532d71 36 API calls 21791->21818 21793 52d7f2 21795 533798 21794->21795 21796 5337ce 21794->21796 21819 533630 57 API calls 21795->21819 21796->21764 21798 53379d 21799 5337a7 21798->21799 21802 5337b4 21798->21802 21820 537045 HeapAlloc 21799->21820 21801 5337d1 21801->21764 21802->21801 21821 537b8c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 21802->21821 21803 5337b1 21803->21801 21805 5337c2 HeapDestroy 21803->21805 21805->21796 21806->21770 21807->21776 21808->21778 21809->21782 21810->21785 21822 5458bb 21811->21822 21816->21780 21817 531ea4 32 API calls 21817->21791 21818->21793 21819->21798 21820->21803 21821->21803 21831 54461c 21822->21831 21830 52d7d8 21830->21817 21853 549215 21831->21853 21834 54462d 21836 5491ef 21834->21836 21835 5491ef 65 API calls 21835->21834 21837 549777 65 API calls 21836->21837 21838 5491fe 21837->21838 21839 5458cd 21838->21839 21882 54980c 21838->21882 21841 54a040 SetErrorMode SetErrorMode 21839->21841 21842 5491ef 65 API calls 21841->21842 21843 54a057 21842->21843 21844 5491ef 65 API calls 21843->21844 21846 54a066 21844->21846 21845 54a08c 21848 5491ef 65 API calls 21845->21848 21846->21845 21890 54a0a3 21846->21890 21849 54a091 21848->21849 21850 5458e5 21849->21850 21909 544631 21849->21909 21852 54a8ff 68 API calls 21850->21852 21852->21830 21854 5491ef 65 API calls 21853->21854 21855 54921a 21854->21855 21858 549777 21855->21858 21859 549780 21858->21859 21860 5497ad TlsGetValue 21858->21860 21862 54979a 21859->21862 21879 549377 65 API calls 21859->21879 21861 5497c0 21860->21861 21865 544621 21861->21865 21866 5497d3 21861->21866 21869 549410 EnterCriticalSection 21862->21869 21864 5497ab 21864->21860 21865->21834 21865->21835 21880 54957f 65 API calls 21866->21880 21870 54942f 21869->21870 21872 54947c GlobalHandle GlobalUnlock GlobalReAlloc 21870->21872 21873 549469 GlobalAlloc 21870->21873 21878 5494eb 21870->21878 21871 549500 LeaveCriticalSection 21871->21864 21874 54949e 21872->21874 21873->21874 21875 5494c7 GlobalLock 21874->21875 21876 5494ac GlobalHandle GlobalLock LeaveCriticalSection 21874->21876 21875->21878 21881 53d901 65 API calls __EH_prolog 21876->21881 21878->21871 21879->21862 21880->21865 21881->21875 21883 549816 __EH_prolog 21882->21883 21884 549844 21883->21884 21888 54a4bc 6 API calls 21883->21888 21884->21839 21886 54982d 21889 54a52c LeaveCriticalSection 21886->21889 21888->21886 21889->21884 21891 5491ef 65 API calls 21890->21891 21892 54a0b6 GetModuleFileNameA 21891->21892 21920 52f6c7 21892->21920 21894 54a0e8 21926 54a1c0 lstrlenA lstrcpynA 21894->21926 21896 54a104 21897 54a11a 21896->21897 21931 531e4c 29 API calls 21896->21931 21908 54a154 21897->21908 21927 5451a1 21897->21927 21900 54a16c lstrcpyA 21933 531e4c 29 API calls 21900->21933 21902 54a196 lstrcatA 21934 531e4c 29 API calls 21902->21934 21903 54a1b4 21903->21845 21905 54a187 21905->21902 21905->21903 21908->21900 21908->21905 21910 5491ef 65 API calls 21909->21910 21911 544636 21910->21911 21919 54468e 21911->21919 21937 548fb8 21911->21937 21914 54980c 7 API calls 21915 54466c 21914->21915 21916 5491ef 65 API calls 21915->21916 21918 544679 21915->21918 21916->21918 21917 549777 65 API calls 21917->21919 21918->21917 21919->21850 21921 52f6e4 21920->21921 21923 52f6d5 21920->21923 21935 535e34 29 API calls 21921->21935 21923->21894 21924 52f6ec 21936 535e95 LeaveCriticalSection 21924->21936 21926->21896 21928 5491ef 65 API calls 21927->21928 21929 5451a7 LoadStringA 21928->21929 21930 5451c2 21929->21930 21932 531e4c 29 API calls 21930->21932 21931->21897 21932->21908 21933->21905 21934->21903 21935->21924 21936->21923 21938 549777 65 API calls 21937->21938 21939 544642 GetCurrentThreadId SetWindowsHookExA 21938->21939 21939->21914 22172 4cc8e0 HeapFree 22173 100274b1 10 API calls 22175 548aed 65 API calls __EH_prolog 22176 1002a472 __CxxFrameHandler 22177 10026eb8 90 API calls 22178 10026cb9 23 API calls 21940 4cc2f0 21943 4cc2d0 21940->21943 21946 4c4020 21943->21946 21945 4cc2e1 21947 4c404b 21946->21947 21948 4c40e3 21946->21948 21950 4c4073 GetProcAddress 21947->21950 21951 4c406a 21947->21951 21949 4c437c 21948->21949 21952 4c4111 21948->21952 22001 52e388 6 API calls 21948->22001 21949->21945 21956 4c40b5 21950->21956 21957 4c4093 21950->21957 21998 52e388 6 API calls 21951->21998 21964 4c424f 21952->21964 21966 4c413c 21952->21966 22000 4c4000 35 API calls 21956->22000 21999 4c43f0 70 API calls 21957->21999 21959 4c40cd 21959->21945 21960 4c4254 LoadLibraryA 21961 4c4264 GetProcAddress 21960->21961 21960->21964 21961->21964 21963 4c42aa 21963->21949 21972 4c42bf FreeLibrary 21963->21972 21973 4c42c6 21963->21973 21964->21960 21964->21963 21968 4c4296 FreeLibrary 21964->21968 21965 4c421a LoadLibraryA 21965->21963 21967 4c4227 GetProcAddress 21965->21967 21966->21965 21969 4c4168 21966->21969 21970 4c4190 21966->21970 21967->21963 21975 4c4237 21967->21975 21968->21964 21971 53fafa 32 API calls 21969->21971 21992 53fafa 21970->21992 21976 4c4174 LoadLibraryA 21971->21976 21972->21973 21980 4c432a 21973->21980 21981 4c42d7 21973->21981 21975->21963 21978 4c4184 21976->21978 21977 4c41a6 21979 53fafa 32 API calls 21977->21979 21978->21967 21978->21970 21982 4c41ba LoadLibraryA 21979->21982 22003 4c43f0 70 API calls 21980->22003 22002 4c43f0 70 API calls 21981->22002 21987 4c41ca 21982->21987 21985 4c4355 21985->21945 21986 4c4303 21986->21945 21987->21967 21988 4c4212 21987->21988 21989 53fafa 32 API calls 21987->21989 21988->21965 21988->21967 21990 4c4202 LoadLibraryA 21989->21990 21991 53f8b1 21990->21991 21991->21988 21993 53fb04 __EH_prolog 21992->21993 21994 53fb23 lstrlenA 21993->21994 21995 53fb1f 21993->21995 21994->21995 22004 53fa56 21995->22004 21997 53fb41 21997->21977 21998->21950 21999->21956 22000->21959 22001->21952 22002->21986 22003->21985 22005 53fa6a 22004->22005 22006 53fa70 22004->22006 22008 53f71e 22005->22008 22006->21997 22011 53f733 22008->22011 22013 53f72a 22008->22013 22009 53f73b 22015 52d57c 22009->22015 22011->22009 22012 53f77a 22011->22012 22022 53f5f2 29 API calls 22012->22022 22013->22006 22023 530f64 22015->22023 22017 52d586 EnterCriticalSection 22018 52d5a4 22017->22018 22019 52d5d5 LeaveCriticalSection 22017->22019 22024 53f0db 29 API calls 22018->22024 22019->22013 22021 52d5b6 22021->22019 22022->22013 22023->22017 22024->22021 22181 1001a595 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22237 10026dc5 30 API calls 22240 10026bd6 25 API calls 22184 100270d8 28 API calls 22185 10026cd8 22 API calls 22187 4cc690 83 API calls 22190 531eb5 32 API calls 22243 10026de4 84 API calls 22247 100291f3 ??3@YAXPAX GetProcessHeap HeapFree 22248 100293f0 ??3@YAXPAX 22193 10026ef6 75 API calls 22194 10026cf7 43 API calls 22025 4cc6b0 22028 4c60b0 22025->22028 22027 4cc6d5 22029 4c60ec 22028->22029 22030 4c60f0 22029->22030 22032 4c6102 22029->22032 22104 4c43f0 70 API calls 22030->22104 22033 4c6134 22032->22033 22034 4c62ac 22032->22034 22035 4c625f 22033->22035 22036 4c6540 22033->22036 22037 4c6211 22033->22037 22038 4c61c2 22033->22038 22039 4c6163 22033->22039 22048 4c60fd 22033->22048 22058 4c6436 22033->22058 22059 4c6344 22033->22059 22040 4c62f0 IsWindow 22034->22040 22055 4c6306 22034->22055 22046 4c6297 22035->22046 22047 4c6282 22035->22047 22035->22048 22036->22048 22071 4c65e4 22036->22071 22072 4c65d5 22036->22072 22044 4c624a 22037->22044 22045 4c6235 22037->22045 22037->22048 22042 4c61fc 22038->22042 22043 4c61e7 22038->22043 22038->22048 22105 52e4d4 29 API calls 22039->22105 22040->22055 22108 4c5fb0 51 API calls 22042->22108 22107 4c5fb0 51 API calls 22043->22107 22110 4c5fb0 51 API calls 22044->22110 22109 4c5fb0 51 API calls 22045->22109 22112 4c5fb0 51 API calls 22046->22112 22111 4c5fb0 51 API calls 22047->22111 22048->22027 22056 4c6919 22055->22056 22057 4c6332 22055->22057 22066 4c6933 22056->22066 22123 4c43f0 70 API calls 22056->22123 22057->22036 22057->22048 22057->22058 22057->22059 22058->22048 22061 4c6485 GetWindowRect 22058->22061 22059->22048 22062 4c639d GetWindowRect GetParent 22059->22062 22064 4c64c4 22061->22064 22065 4c64a6 22061->22065 22113 5412b4 66 API calls 22062->22113 22063 4c617d 22063->22048 22106 4c5fb0 51 API calls 22063->22106 22118 543c3b SetWindowPos 22064->22118 22117 543c3b SetWindowPos 22065->22117 22068 4c6bb0 22066->22068 22086 4c6a6f 22066->22086 22093 4c6968 22066->22093 22068->22093 22125 4ce0f0 70 API calls 22068->22125 22076 4c676a 22071->22076 22100 4c6609 22071->22100 22119 543c8a 22072->22119 22073 4c63c0 22077 4c63e0 22073->22077 22114 543b22 GetWindowLongA 22073->22114 22122 4c2570 87 API calls 22076->22122 22116 543bfa MoveWindow 22077->22116 22081 4c63cd 22081->22077 22115 5460ee GetWindowLongA ScreenToClient ScreenToClient 22081->22115 22082 4c6cb3 IsWindow 22082->22048 22084 4c6cbe 22082->22084 22084->22048 22088 4c6cd2 22084->22088 22087 4c6aa6 GetStockObject GetObjectA 22086->22087 22089 4c6a95 22086->22089 22087->22089 22126 4c3ae0 PeekMessageA 22088->22126 22089->22093 22124 4ce0f0 70 API calls 22089->22124 22093->22048 22093->22082 22095 4c6cff 22096 4c3ae0 67 API calls 22095->22096 22098 4c6d06 22096->22098 22097 4c6751 22097->22048 22099 543c8a ShowWindow 22097->22099 22098->22048 22099->22048 22100->22048 22100->22097 22101 4c66b4 IsWindow 22100->22101 22101->22097 22103 4c66c6 22101->22103 22102 4b47c0 SendMessageA 22102->22103 22103->22100 22103->22102 22104->22048 22105->22063 22106->22048 22107->22048 22108->22048 22109->22048 22110->22048 22111->22048 22112->22048 22113->22073 22114->22081 22115->22077 22116->22048 22117->22048 22118->22048 22120 543ca0 22119->22120 22121 543c91 ShowWindow 22119->22121 22120->22048 22121->22120 22122->22048 22123->22066 22124->22093 22125->22093 22127 4c3afd 22126->22127 22128 4c3b23 22126->22128 22127->22128 22129 54461c 65 API calls 22127->22129 22130 4c3b10 PeekMessageA 22127->22130 22131 4c3b40 105 API calls 22128->22131 22129->22127 22130->22127 22130->22128 22131->22095

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 781 100193c2-10019472 call 1002748d * 3 call 100294c0 790 10019474-1001947a call 10027487 781->790 791 1001947d-1001949e CopyFileA 781->791 790->791 793 100194a0-100194b4 call 10027499 791->793 794 100194b7-100194c3 791->794 793->794 795 100194c5 794->795 796 100194ca-100194e9 call 10028d40 794->796 795->796 802 100194f4-10019504 796->802 803 100194eb-100194f1 call 10027487 796->803 805 10019506 802->805 806 1001950b-10019525 call 10028000 802->806 803->802 805->806 810 1001952b-10019539 806->810 811 1001956e-10019586 call 1000241a 806->811 813 10019540-1001955f call 10028d40 810->813 814 1001953b 810->814 818 10019588 811->818 819 1001958d-100195b5 call 10028e50 call 10006495 811->819 820 10019561-10019567 call 10027487 813->820 821 1001956a-1001956b 813->821 814->813 818->819 828 100195d6 819->828 829 100195bb-100195c9 819->829 820->821 821->811 830 100195db-100195dd 828->830 829->828 831 100195cf-100195d4 829->831 832 100195e3-1001960c RtlAllocateHeap 830->832 833 10019832-10019840 830->833 831->830 834 10019625-10019688 call 10007b67 call 1002748d call 10008edd call 10027487 832->834 835 1001960e-10019622 call 10027499 832->835 839 10019842-10019848 call 10027487 833->839 840 1001984b-10019850 833->840 868 10019689-10019691 834->868 835->834 839->840 844 10019852-10019858 call 10027487 840->844 845 1001985b-10019882 call 10027487 * 2 840->845 844->845 857 10019895 845->857 858 10019884 845->858 861 1001989b-100198bb call 10027487 * 2 857->861 862 100198bd-100198c9 call 10027487 857->862 860 10019886-1001988a 858->860 865 10019891-10019893 860->865 866 1001988c-1001988f 860->866 861->862 865->857 866->860 869 10019822-1001982d call 100094fb 868->869 870 10019697-100196a5 call 10001000 868->870 869->833 878 100196a7-100196bb call 10027499 870->878 879 100196be-100196c2 870->879 878->879 881 100196c4-100196d8 call 10027499 879->881 882 100196db-10019736 call 10001b27 call 10001000 879->882 881->882 890 10019738-1001974c call 10027499 882->890 891 1001974f-10019753 882->891 890->891 893 10019755-10019769 call 10027499 891->893 894 1001976c-100197c7 call 10001b27 call 10001000 891->894 893->894 902 100197e0-100197e4 894->902 903 100197c9-100197dd call 10027499 894->903 905 100197e6-100197fa call 10027499 902->905 906 100197fd-1001981d call 10007b67 902->906 903->902 905->906 906->868
                                                        APIs
                                                          • Part of subcall function 100294C0: GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                          • Part of subcall function 100294C0: GetTickCount.KERNEL32 ref: 10029543
                                                          • Part of subcall function 100294C0: wsprintfA.USER32 ref: 10029558
                                                          • Part of subcall function 100294C0: PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                        • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 10019491
                                                        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000000,00000001,?,?,?,00000000), ref: 100195FF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: FilePath$AllocateCopyCountExistsHeapTempTickwsprintf
                                                        • String ID: @
                                                        • API String ID: 183890193-2766056989
                                                        • Opcode ID: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                                                        • Instruction ID: 886d6a9a19e72094fdb0421fea6300c5803c3cbfa718e8e798f15b8255d4c358
                                                        • Opcode Fuzzy Hash: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                                                        • Instruction Fuzzy Hash: 26D142B5E40209ABEB01DFD4DCC2F9EB7B4FF18704F540065F604BA282E776A9548B66

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 927 1000710e-10007271 call 1002748d * 5 GetVersionExA 938 10007273-10007287 call 10027499 927->938 939 1000728a-100072e2 call 10027ca0 927->939 938->939 944 100072f3-100072f9 939->944 945 100072e4 939->945 947 10007300-1000734b call 10027487 944->947 948 100072fb 944->948 946 100072e6-100072ea 945->946 949 100072f1 946->949 950 100072ec-100072ef 946->950 953 10007351-100073f3 call 1002748d GetSystemInfo 947->953 954 100077ad-100077b2 947->954 948->947 949->944 950->946 959 100073f5-10007409 call 10027499 953->959 960 1000740c-100074c4 call 10027487 RtlGetNtVersionNumbers 953->960 955 100077b7-100077f1 call 10027487 * 4 954->955 959->960 968 100074c6-100074da call 10027499 960->968 969 100074dd-10007520 960->969 968->969 972 10007552-10007556 969->972 973 10007526-1000752a 969->973 975 10007630-10007634 972->975 976 1000755c-10007560 972->976 978 10007530-10007534 973->978 979 1000754d 973->979 984 1000778a-1000778e 975->984 985 1000763a-1000763e 975->985 982 10007591-10007595 976->982 983 10007566-10007574 976->983 986 10007546 978->986 987 1000753a-10007541 978->987 981 100077a5-100077a8 979->981 981->955 992 100075c6-100075ca 982->992 993 1000759b-100075a9 982->993 989 10007584 983->989 990 1000757a-1000757f 983->990 984->981 991 10007794-10007798 984->991 994 10007650-10007654 985->994 995 10007644-1000764b 985->995 986->979 987->979 996 10007589-1000758c 989->996 990->996 991->981 997 1000779e 991->997 1002 100075d0-100075de 992->1002 1003 100075fb-100075ff 992->1003 998 100075b9 993->998 999 100075af-100075b4 993->999 1000 10007785 994->1000 1001 1000765a-1000766f 994->1001 995->1000 1005 1000762b 996->1005 997->981 1006 100075be-100075c1 998->1006 999->1006 1000->981 1014 10007671-10007685 call 10027499 1001->1014 1015 10007688-1000768f 1001->1015 1007 100075e4-100075e9 1002->1007 1008 100075ee 1002->1008 1004 10007605-10007613 1003->1004 1003->1005 1009 10007623 1004->1009 1010 10007619-1000761e 1004->1010 1005->981 1006->1005 1012 100075f3-100075f6 1007->1012 1008->1012 1013 10007628 1009->1013 1010->1013 1012->1005 1013->1005 1014->1015 1016 100076a1-100076a5 1015->1016 1017 10007695-1000769c 1015->1017 1019 100076c7 1016->1019 1020 100076ab-100076ba 1016->1020 1017->1000 1023 100076cc-100076ce 1019->1023 1020->1019 1022 100076c0-100076c5 1020->1022 1022->1023 1024 100076e0-1000771d call 10028950 1023->1024 1025 100076d4-100076db 1023->1025 1028 10007723-1000772a 1024->1028 1029 1000772f-1000776c call 10028950 1024->1029 1025->1000 1028->1000 1032 10007772-10007779 1029->1032 1033 1000777e 1029->1033 1032->1000 1033->1000
                                                        APIs
                                                        • GetVersionExA.KERNEL32(00000000,10006DE0), ref: 10007264
                                                        • GetSystemInfo.KERNEL32(00000000,?), ref: 100073E6
                                                        • RtlGetNtVersionNumbers.NTDLL(?,?,00000000), ref: 100074B7
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Version$InfoNumbersSystem
                                                        • String ID:
                                                        • API String ID: 995872648-0
                                                        • Opcode ID: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                        • Instruction ID: 6910099e4755c4c9484fada616f008788a9246664730439cfdd765e490be93a4
                                                        • Opcode Fuzzy Hash: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                        • Instruction Fuzzy Hash: 001225B5E40246DBFB00CFA8DC81799B7F0FF19364F290065E909AB345E379A951CB62

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1034 10007fdd-1000801e call 100280c0 1037 10008020-10008026 call 10027487 1034->1037 1038 10008029-10008059 call 1000241a call 10007db8 1034->1038 1037->1038 1045 10008098-1000809d 1038->1045 1046 1000805f-10008063 1038->1046 1048 100080a8-100080ab 1045->1048 1049 1000809f-100080a5 call 10027487 1045->1049 1046->1045 1047 10008069-1000806c 1046->1047 1051 10008075-1000807c 1047->1051 1049->1048 1053 10008095 1051->1053 1054 1000807e-10008092 call 10027499 1051->1054 1053->1045 1054->1053
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Close
                                                        • String ID: `+Tw
                                                        • API String ID: 3535843008-1053621713
                                                        • Opcode ID: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                        • Instruction ID: f7734d6dfd281f4cec539f69a8a4743609fe5589cfe20e3980177d77de103c32
                                                        • Opcode Fuzzy Hash: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                        • Instruction Fuzzy Hash: 92112EB5D40308BBEB50DFE0DC86B9DBBB8EF05340F108069E6447A281D7B66B588B91

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1057 10018ad3-10018b21 call 10018eea * 2 HeapCreate 1063 10018b23-10018b37 call 10027499 1057->1063 1064 10018b3a-10018b5e HeapCreate 1057->1064 1063->1064 1066 10018b60-10018b74 call 10027499 1064->1066 1067 10018b77-10018b8e call 10001000 1064->1067 1066->1067 1073 10018b90-10018ba4 call 10027499 1067->1073 1074 10018ba7-10018bc8 call 1000188f 1067->1074 1073->1074 1079 10018bd3-10018be4 call 1000b61e 1074->1079 1080 10018bca-10018bd0 call 10027487 1074->1080 1085 10018be6-10018bec call 10027487 1079->1085 1086 10018bef-10018c09 call 10001000 1079->1086 1080->1079 1085->1086 1091 10018c22-10018c43 call 1000188f 1086->1091 1092 10018c0b-10018c1f call 10027499 1086->1092 1097 10018c45-10018c4b call 10027487 1091->1097 1098 10018c4e-10018c5f call 1000b61e 1091->1098 1092->1091 1097->1098 1103 10018c61-10018c67 call 10027487 1098->1103 1104 10018c6a-10018c84 call 10001000 1098->1104 1103->1104 1109 10018c86-10018c9a call 10027499 1104->1109 1110 10018c9d-10018cbe call 1000188f 1104->1110 1109->1110 1115 10018cc0-10018cc6 call 10027487 1110->1115 1116 10018cc9-10018cda call 1000b61e 1110->1116 1115->1116 1121 10018ce5-10018cff call 10001000 1116->1121 1122 10018cdc-10018ce2 call 10027487 1116->1122 1127 10018d01-10018d15 call 10027499 1121->1127 1128 10018d18-10018d39 call 1000188f 1121->1128 1122->1121 1127->1128 1133 10018d44-10018d55 call 1000b61e 1128->1133 1134 10018d3b-10018d41 call 10027487 1128->1134 1139 10018d60-10018d7a call 10001000 1133->1139 1140 10018d57-10018d5d call 10027487 1133->1140 1134->1133 1145 10018d93-10018db4 call 1000188f 1139->1145 1146 10018d7c-10018d90 call 10027499 1139->1146 1140->1139 1151 10018db6-10018dbc call 10027487 1145->1151 1152 10018dbf-10018dd0 call 1000b61e 1145->1152 1146->1145 1151->1152 1157 10018dd2-10018dd8 call 10027487 1152->1157 1158 10018ddb-10018e4b call 10006453 call 1000710e call 10018f34 call 100191e3 call 10019edc call 1000ff10 call 100114f9 1152->1158 1157->1158 1175 10018e56-10018ea3 call 10019edc call 1000ff10 call 100114f9 1158->1175 1176 10018e4d-10018e53 call 10027487 1158->1176 1185 10018ea5-10018eab call 10027487 1175->1185 1186 10018eae-10018ec2 call 10019f4c 1175->1186 1176->1175 1185->1186 1190 10018ec7-10018ee9 call 1001a236 1186->1190
                                                        APIs
                                                          • Part of subcall function 10018EEA: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                        • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 10018B14
                                                        • HeapCreate.KERNEL32(00040000,00000000,00000000), ref: 10018B51
                                                          • Part of subcall function 1000FF10: RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Create$Heap$ComputeCrc32Mutex
                                                        • String ID:
                                                        • API String ID: 3311811139-0
                                                        • Opcode ID: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                        • Instruction ID: 66fc46a93c8d8d126791b072413d70454ec7258938680aadaad6e332e46fbde2
                                                        • Opcode Fuzzy Hash: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                        • Instruction Fuzzy Hash: B8B10CB5E00309ABEB10EFE4DCC2B9E77B8FB14340F504465E618EB246E775AB448B52
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(1002D511,00000000), ref: 1001A1FA
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked
                                                        • String ID:
                                                        • API String ID: 367298776-0
                                                        • Opcode ID: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                        • Instruction ID: 8b03ad6f155dc1ffa3c952e4c0ec4cfc85cd69f7d418c3f1b48ca094e25b3ce2
                                                        • Opcode Fuzzy Hash: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                        • Instruction Fuzzy Hash: EF012975D04319A7DB00EFD49C82F9E77B9EB05340F404066E50466151D775DB949B92
                                                        APIs
                                                        • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: CreateMutex
                                                        • String ID:
                                                        • API String ID: 1964310414-0
                                                        • Opcode ID: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                        • Instruction ID: b5123a5caac3b4bfff5d25017b882f5dc189a7960400f6af0356bf2a3b5a090f
                                                        • Opcode Fuzzy Hash: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                        • Instruction Fuzzy Hash: 49E01270E95308F7E120AA505D03B29B635D70AB11F609055BE083E1C1D5B19A156696

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 228 4c4020-4c4045 229 4c404b-4c4056 228->229 230 4c40e3-4c40f2 228->230 231 4c4058-4c4062 229->231 232 4c4065-4c4068 229->232 233 4c439f-4c43b0 230->233 234 4c40f8-4c4108 230->234 231->232 235 4c407d 232->235 236 4c406a-4c407b call 52e388 232->236 237 4c4119-4c4136 call 4b1620 234->237 238 4c410a-4c4114 call 52e388 234->238 241 4c407f-4c4091 GetProcAddress 235->241 236->241 250 4c413c-4c414f call 52f3a0 237->250 251 4c424f 237->251 238->237 245 4c40c6-4c40e0 call 4c4000 241->245 246 4c4093-4c40c1 call 4cd7b0 call 4c43f0 call 53f8b1 241->246 246->245 264 4c421a-4c4221 LoadLibraryA 250->264 265 4c4155-4c4166 250->265 253 4c4254-4c4262 LoadLibraryA 251->253 256 4c429f-4c42a8 253->256 257 4c4264-4c4272 GetProcAddress 253->257 256->253 260 4c42aa-4c42b5 256->260 261 4c428a-4c4294 257->261 262 4c4274-4c427f 257->262 266 4c437c-4c437e 260->266 267 4c42bb-4c42bd 260->267 261->260 270 4c4296-4c429d FreeLibrary 261->270 262->261 269 4c4281-4c4287 262->269 264->260 268 4c4227-4c4235 GetProcAddress 264->268 272 4c4168-4c4186 call 53fafa LoadLibraryA call 53f8b1 265->272 273 4c4190-4c41dd call 53fafa * 2 LoadLibraryA call 53f8b1 * 2 265->273 277 4c4396-4c439c 266->277 278 4c4380-4c438b 266->278 275 4c42bf-4c42c0 FreeLibrary 267->275 276 4c42c6-4c42d5 call 4b1620 267->276 268->260 280 4c4237-4c4242 268->280 269->261 270->256 272->268 293 4c418c 272->293 273->268 308 4c41df-4c41f0 273->308 275->276 290 4c432a-4c4379 call 4cd7b0 call 4c43f0 call 53f8b1 276->290 291 4c42d7-4c4327 call 4cd7b0 call 4c43f0 call 53f8b1 276->291 277->233 278->277 283 4c438d-4c4393 278->283 280->260 285 4c4244-4c424d 280->285 283->277 285->260 293->273 311 4c4212-4c4214 308->311 312 4c41f2-4c420d call 53fafa LoadLibraryA call 53f8b1 308->312 311->268 314 4c4216 311->314 312->311 314->264
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,007E95F4), ref: 004C4087
                                                        • LoadLibraryA.KERNEL32(?,?,007F9FD8), ref: 004C4177
                                                        • LoadLibraryA.KERNEL32(?,?), ref: 004C41BD
                                                        • LoadLibraryA.KERNEL32(?,?,007F9EE0,?), ref: 004C4205
                                                        • LoadLibraryA.KERNEL32(?), ref: 004C421B
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 004C422D
                                                        • FreeLibrary.KERNEL32(00000000), ref: 004C42C0
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressProc$Free
                                                        • String ID:
                                                        • API String ID: 3120990465-0
                                                        • Opcode ID: 85024bc73752be43d5b9e1f5a18eef924cdf7aa01b86ea9a9b0f9c3cd8f94b55
                                                        • Instruction ID: c838627082daf865a2f5288975a38c73a6164eba8630f2b3b15f871cc3ec409e
                                                        • Opcode Fuzzy Hash: 85024bc73752be43d5b9e1f5a18eef924cdf7aa01b86ea9a9b0f9c3cd8f94b55
                                                        • Instruction Fuzzy Hash: 59A1C079A00702ABD754DF64C895FABB3A8FFD8314F044A2EF85587341D738A905CB95

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 317 549410-54942d EnterCriticalSection 318 54943c-549441 317->318 319 54942f-549436 317->319 321 549443-549446 318->321 322 54945e-549467 318->322 319->318 320 5494f5-5494f8 319->320 323 549500-549521 LeaveCriticalSection 320->323 324 5494fa-5494fd 320->324 325 549449-54944c 321->325 326 54947c-549498 GlobalHandle GlobalUnlock GlobalReAlloc 322->326 327 549469-54947a GlobalAlloc 322->327 324->323 328 549456-549458 325->328 329 54944e-549454 325->329 330 54949e-5494aa 326->330 327->330 328->320 328->322 329->325 329->328 331 5494c7-5494f4 GlobalLock call 531020 330->331 332 5494ac-5494c2 GlobalHandle GlobalLock LeaveCriticalSection call 53d901 330->332 331->320 332->331
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(00828AA0,00828A74,00000000,?,00828A84,00828A84,005497AB,?,00000000,005491FE,00548AED,0054921A,00544621,005458C6,?,00000000), ref: 0054941F
                                                        • GlobalAlloc.KERNEL32(00002002,00000000,?,?,00828A84,00828A84,005497AB,?,00000000,005491FE,00548AED,0054921A,00544621,005458C6,?,00000000), ref: 00549474
                                                        • GlobalHandle.KERNEL32(00ABA2C0), ref: 0054947D
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00549486
                                                        • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00549498
                                                        • GlobalHandle.KERNEL32(00ABA2C0), ref: 005494AF
                                                        • GlobalLock.KERNEL32(00000000), ref: 005494B6
                                                        • LeaveCriticalSection.KERNEL32(0052D7D8,?,?,00828A84,00828A84,005497AB,?,00000000,005491FE,00548AED,0054921A,00544621,005458C6,?,00000000), ref: 005494BC
                                                        • GlobalLock.KERNEL32(00000000), ref: 005494CB
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 00549514
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                        • String ID:
                                                        • API String ID: 2667261700-0
                                                        • Opcode ID: ad25314e3ab3a8c0cbd963cee62433216bdfd4a3f84765b6980d9fd789afd86f
                                                        • Instruction ID: 53e9ce612839a117e337449bba78e3c70638cbec2c790d547ca72150bc8ce824
                                                        • Opcode Fuzzy Hash: ad25314e3ab3a8c0cbd963cee62433216bdfd4a3f84765b6980d9fd789afd86f
                                                        • Instruction Fuzzy Hash: 923165752007069FDB249F68DC9AA6B7BE9FF44305F014A2DF856C3661D771E849CB10

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 470 54a0a3-54a10c call 5491ef GetModuleFileNameA call 52f6c7 call 54a1c0 477 54a121-54a124 470->477 478 54a10e-54a11b call 531e4c 470->478 480 54a126-54a137 call 5451a1 477->480 481 54a158-54a16a 477->481 478->477 486 54a13c-54a13e 480->486 483 54a16c-54a18c lstrcpyA call 531e4c 481->483 484 54a18d-54a194 481->484 483->484 488 54a196-54a1b5 lstrcatA call 531e4c 484->488 489 54a1bb-54a1bf 484->489 490 54a140-54a147 486->490 491 54a149 486->491 488->489 494 54a14f-54a155 call 531e4c 490->494 491->494 494->481
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A0D4
                                                          • Part of subcall function 0054A1C0: lstrlenA.KERNEL32(00000104,00000000,?,0054A104), ref: 0054A1F7
                                                        • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A175
                                                        • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A1A2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: FileModuleNamelstrcatlstrcpylstrlen
                                                        • String ID: .HLP$.INI
                                                        • API String ID: 2421895198-3011182340
                                                        • Opcode ID: fb49887c37ddf0ed12a10b4492493638add2dc4591c4057a0a5c557e31854f7d
                                                        • Instruction ID: bca0d6cf56b7b712b634b80d4d1d1d7112b3351e13c35864bc9ba09b7c264cf1
                                                        • Opcode Fuzzy Hash: fb49887c37ddf0ed12a10b4492493638add2dc4591c4057a0a5c557e31854f7d
                                                        • Instruction Fuzzy Hash: B23170B6944719AFDB61DB70D889BC6BBFCFB04314F10496AE199D3151EB70A984CB10

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 498 100294c0-100294cf 499 100294d1-100294e3 GetTempPathA 498->499 500 100294eb-10029511 498->500 501 10029513-1002952c 499->501 502 100294e5-100294e9 499->502 500->501 503 10029531-1002953d 501->503 504 1002952e 501->504 502->501 505 10029543-10029569 GetTickCount wsprintfA PathFileExistsA 503->505 504->503 505->505 506 1002956b-100295b3 call 10027bb0 505->506
                                                        APIs
                                                        • GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                        • GetTickCount.KERNEL32 ref: 10029543
                                                        • wsprintfA.USER32 ref: 10029558
                                                        • PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Path$CountExistsFileTempTickwsprintf
                                                        • String ID: %s%x.tmp
                                                        • API String ID: 3843276195-78920241
                                                        • Opcode ID: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                        • Instruction ID: 19c0f5fbbc49b21063d5a4c1e69b6cb6cd736cc94922c53957f775166a9e82b6
                                                        • Opcode Fuzzy Hash: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                        • Instruction Fuzzy Hash: 9521F6352046144FE329D638AC526EB77D5FBC4360F948A2DF9AA831C0DF74DD058791

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 769 10027bb0-10027bb7 770 10027bc4-10027bd7 RtlAllocateHeap 769->770 771 10027bb9-10027bbf GetProcessHeap 769->771 772 10027bf5-10027bf8 770->772 773 10027bd9-10027bf2 MessageBoxA call 10027b10 770->773 771->770 773->772
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                        • RtlAllocateHeap.NTDLL(00AB0000,00000008,?,?,10028674), ref: 10027BCD
                                                        • MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocateMessageProcess
                                                        • String ID: error
                                                        • API String ID: 2992861138-1574812785
                                                        • Opcode ID: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                        • Instruction ID: 89e5899bf0a8eaacd33e9d23978464e8beef4f738102cb453b69e42e0a268b90
                                                        • Opcode Fuzzy Hash: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                        • Instruction Fuzzy Hash: 4DE0DF71A01A31ABE322EB64BC88F4B7698EF05B41F910526F608E2240EF20AC019791

                                                        Control-flow Graph

                                                        APIs
                                                        • CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000,00000000,100149DF,00000001,00000000,00000000,80000004,00000000,00000000,00000000), ref: 10028D55
                                                        • GetFileSize.KERNEL32(00000000,?,1002C201,00000268,?,00000000,00000000,00000000,00000000), ref: 10028D6C
                                                          • Part of subcall function 10027BB0: GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                          • Part of subcall function 10027BB0: RtlAllocateHeap.NTDLL(00AB0000,00000008,?,?,10028674), ref: 10027BCD
                                                          • Part of subcall function 10027BB0: MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                        • ReadFile.KERNEL32(00000000,00000008,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D98
                                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D9F
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: File$Heap$AllocateCloseCreateHandleMessageProcessReadSize
                                                        • String ID:
                                                        • API String ID: 749537981-0
                                                        • Opcode ID: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                        • Instruction ID: 3e7a6e3e6917c5c906f0044d82f650070526e8034b550c75b50b94cd4b2286ca
                                                        • Opcode Fuzzy Hash: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                        • Instruction Fuzzy Hash: 31F044762003107BE3218B64DCC9F9B77ACEB84B51F204A1DF616961D0E670A5458761

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 912 544631-54463a call 5491ef 915 54463c-544667 call 548fb8 GetCurrentThreadId SetWindowsHookExA call 54980c 912->915 916 54468f 912->916 920 54466c-544672 915->920 921 544674-544679 call 5491ef 920->921 922 54467f-54468e call 549777 920->922 921->922 922->916
                                                        APIs
                                                        • GetCurrentThreadId.KERNEL32 ref: 00544644
                                                        • SetWindowsHookExA.USER32(000000FF,V`H,00000000,00000000), ref: 00544654
                                                          • Part of subcall function 0054980C: __EH_prolog.LIBCMT ref: 00549811
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: CurrentH_prologHookThreadWindows
                                                        • String ID: V`H
                                                        • API String ID: 2183259885-1425837005
                                                        • Opcode ID: 15d8a5ef623d8784ea92b3510a4e55f0f4dab0f796e01b6461698236c593e94b
                                                        • Instruction ID: ce4c10ce4f1fde015653ad3c903fdbeacdb3969411db0e93e2fecd0e6ffa25ff
                                                        • Opcode Fuzzy Hash: 15d8a5ef623d8784ea92b3510a4e55f0f4dab0f796e01b6461698236c593e94b
                                                        • Instruction Fuzzy Hash: DDF0A031891311AFCF602BB0E80FBEA7E54BB81729F45125CF552A61E1DE6048848B51

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1195 54a040-54a06b SetErrorMode * 2 call 5491ef * 2 1200 54a08c-54a096 call 5491ef 1195->1200 1201 54a06d-54a087 call 54a0a3 1195->1201 1205 54a09d-54a0a0 1200->1205 1206 54a098 call 544631 1200->1206 1201->1200 1206->1205
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000000,00000000,005458E5,00000000,00000000,00000000,00000000,?,00000000,?,0053D073,00000000,00000000,00000000,00000000,0052D7D8), ref: 0054A049
                                                        • SetErrorMode.KERNEL32(00000000,?,00000000,?,0053D073,00000000,00000000,00000000,00000000,0052D7D8,00000000), ref: 0054A050
                                                          • Part of subcall function 0054A0A3: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A0D4
                                                          • Part of subcall function 0054A0A3: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A175
                                                          • Part of subcall function 0054A0A3: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A1A2
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
                                                        • String ID:
                                                        • API String ID: 3389432936-0
                                                        • Opcode ID: f5cc11b3060c09880d13a835071dac1ff441f947291634e4d0d4758776c38180
                                                        • Instruction ID: 188b5d5e8e1fe35dd59b7982f089a1208d62352469dd32f557762db68908edfc
                                                        • Opcode Fuzzy Hash: f5cc11b3060c09880d13a835071dac1ff441f947291634e4d0d4758776c38180
                                                        • Instruction Fuzzy Hash: 88F03775A842128FDB54AF24D449A8A7FA8BF84714F05848EB8489B3A2CB74D840CF96
                                                        APIs
                                                        • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004C3AF7
                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004C3B1D
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: MessagePeek
                                                        • String ID:
                                                        • API String ID: 2222842502-0
                                                        • Opcode ID: d5d2506b950605fd47a43454618ffe8a54ad3c91368ebf1fb006fd2e3387a302
                                                        • Instruction ID: 549516e6bee9550d6c28109cdb640dbf344df1ff570d04f4577fde9d5c346bc4
                                                        • Opcode Fuzzy Hash: d5d2506b950605fd47a43454618ffe8a54ad3c91368ebf1fb006fd2e3387a302
                                                        • Instruction Fuzzy Hash: 38F09B35B40312BBFB20EAA48C07F6B37986F44B01F54445AF7419B1D1E6B4F504CBA9
                                                        APIs
                                                        • HeapCreate.KERNEL32(00000000,00001000,00000000,0052D756,00000001), ref: 00533789
                                                          • Part of subcall function 00533630: GetVersionExA.KERNEL32 ref: 0053364F
                                                        • HeapDestroy.KERNEL32 ref: 005337C8
                                                          • Part of subcall function 00537045: HeapAlloc.KERNEL32(00000000,00000140,005337B1,000003F8), ref: 00537052
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocCreateDestroyVersion
                                                        • String ID:
                                                        • API String ID: 2507506473-0
                                                        • Opcode ID: a74c570746986a0d0ea47059bd758b4a4c67e8f0631b46f34643c4d50467435d
                                                        • Instruction ID: 436b11923727e9549315da22d288eca00aceb1011756a23ab154c99fd471797b
                                                        • Opcode Fuzzy Hash: a74c570746986a0d0ea47059bd758b4a4c67e8f0631b46f34643c4d50467435d
                                                        • Instruction Fuzzy Hash: 41F065F0655302AEEB706B70AC4A7393FE0FB84B52F204835F400C45B5EA608785DA01
                                                        APIs
                                                        • IsBadReadPtr.KERNEL32(00000000,00000008), ref: 10027C6E
                                                        • RtlFreeHeap.NTDLL(00AB0000,00000000,00000000), ref: 10027C80
                                                          • Part of subcall function 10027AE0: GetModuleHandleA.KERNEL32(10000000,10027CB6,?,?,00000000,10013438,00000004,1002D4C1,00000000,00000000,?,00000014,00000000,00000000), ref: 10027AEA
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: FreeHandleHeapModuleRead
                                                        • String ID:
                                                        • API String ID: 627478288-0
                                                        • Opcode ID: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                        • Instruction ID: 59851536013e0aac3578df5bad16e171669d5e3b00cd7f1de4e20f90094f5fd3
                                                        • Opcode Fuzzy Hash: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                        • Instruction Fuzzy Hash: 46E0ED71A0153297EB21FB34ADC4A4B769CFB417C0BB1402AF548B3151D330AC818BA2
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0052F11C
                                                          • Part of subcall function 00535E34: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0052FF4C,00000009,00000000,00000000,00000001,005335C1,00000001,00000074,?,?,00000000,00000001), ref: 00535E71
                                                          • Part of subcall function 00535E34: EnterCriticalSection.KERNEL32(?,?,?,0052FF4C,00000009,00000000,00000000,00000001,005335C1,00000001,00000074,?,?,00000000,00000001), ref: 00535E8C
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$AllocateEnterHeapInitialize
                                                        • String ID:
                                                        • API String ID: 1616793339-0
                                                        • Opcode ID: 13d1776afa5f12be5ee3715adac4af9234b4447746f83b7395a2fc1db7bbc90f
                                                        • Instruction ID: 7199248a12a6cf82eb1af24f2ab9af2755dd37cfe2b98d853d65e0f2b04fea4d
                                                        • Opcode Fuzzy Hash: 13d1776afa5f12be5ee3715adac4af9234b4447746f83b7395a2fc1db7bbc90f
                                                        • Instruction Fuzzy Hash: 74216072A00265EBDB20DB65FC4AB9E7B74BF02B20F244539F811EB1C1D6749941DB54
                                                        APIs
                                                        • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,0052FF4C,00000009,00000000,00000000,00000001,005335C1,00000001,00000074), ref: 0052EFE2
                                                          • Part of subcall function 00535E34: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0052FF4C,00000009,00000000,00000000,00000001,005335C1,00000001,00000074,?,?,00000000,00000001), ref: 00535E71
                                                          • Part of subcall function 00535E34: EnterCriticalSection.KERNEL32(?,?,?,0052FF4C,00000009,00000000,00000000,00000001,005335C1,00000001,00000074,?,?,00000000,00000001), ref: 00535E8C
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterFreeHeapInitialize
                                                        • String ID:
                                                        • API String ID: 641406236-0
                                                        • Opcode ID: 344201eb90bba04c0db412ba41cde0b17f8c3e97b6b073196274d8a04a6716e2
                                                        • Instruction ID: 6b2a2f7a0a4882739065feda01e4419bac96473d30e33cf75b3221229cdabaa9
                                                        • Opcode Fuzzy Hash: 344201eb90bba04c0db412ba41cde0b17f8c3e97b6b073196274d8a04a6716e2
                                                        • Instruction Fuzzy Hash: D2219272C0561AAADF21AB94ED0BBAEBF78FF05720F240229F410B61D0D7749941DBA1
                                                        APIs
                                                        • LdrInitializeThunk.NTDLL(-0000007F), ref: 10004BAD
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                        • Instruction ID: 7f13cb2829284cec5adb7bd0b88e9c5a5f53f04c1fb2448feb0c9f08ba257be5
                                                        • Opcode Fuzzy Hash: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                        • Instruction Fuzzy Hash: 0111C4B1600645DBFB20DF18C894B5973A5EB413D9F128336E806CB2E8CB78DD85C789
                                                        APIs
                                                        • LoadStringA.USER32(?,?,?,?), ref: 005451B8
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: LoadString
                                                        • String ID:
                                                        • API String ID: 2948472770-0
                                                        • Opcode ID: e00ba2af5c0ab2ebee51c7ba3a58208dc53a8c205b24856cabd4796f089c07ce
                                                        • Instruction ID: 3205bcf6ada461b04f27a636879d6f3c113a41d2d57550d41bb3619f785f2c60
                                                        • Opcode Fuzzy Hash: e00ba2af5c0ab2ebee51c7ba3a58208dc53a8c205b24856cabd4796f089c07ce
                                                        • Instruction Fuzzy Hash: 7BD0A7721083629BCB12DF508808DCFBFA8BF54321B040C0DF88443111D320C404CB61
                                                        APIs
                                                        • ShowWindow.USER32(?,?,004C064C,00000000), ref: 00543C98
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: ShowWindow
                                                        • String ID:
                                                        • API String ID: 1268545403-0
                                                        • Opcode ID: ffc18a60ec64a25ffe576df6f9df42f32a41d4df3b93da3696965e1d8b0a479c
                                                        • Instruction ID: f0a6913aaba4f4cd7a5797eb91c1e2fe5e7be7c40ecdc7b22ac4f8dd38869419
                                                        • Opcode Fuzzy Hash: ffc18a60ec64a25ffe576df6f9df42f32a41d4df3b93da3696965e1d8b0a479c
                                                        • Instruction Fuzzy Hash: 6AD09231214200EFCF059F61CA88B5ABBA2BF94709B609968E5469A165D732DD12EB41
                                                        APIs
                                                        • DeleteFileA.KERNEL32(00000000,10015A7E,00000001,10014425,00000000,80000004), ref: 10028E55
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: DeleteFile
                                                        • String ID:
                                                        • API String ID: 4033686569-0
                                                        • Opcode ID: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                        • Instruction ID: ffbd99c73049c44a809e906c9e813abd6042298cab9f2baa300a0a2bd65e465f
                                                        • Opcode Fuzzy Hash: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                        • Instruction Fuzzy Hash: 5EA00275904611EBDE11DBA4C9DC84B7BACAB84341B108844F155C2130C634D451CB21
                                                        APIs
                                                        • IsIconic.USER32(?), ref: 004CBFCC
                                                        • IsZoomed.USER32(?), ref: 004CBFDA
                                                        • LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 004CC004
                                                        • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004CC017
                                                        • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004CC025
                                                        • FreeLibrary.KERNEL32(00000000), ref: 004CC05B
                                                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004CC071
                                                        • IsWindow.USER32(?), ref: 004CC09E
                                                        • ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 004CC0AB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
                                                        • String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
                                                        • API String ID: 447426925-661446951
                                                        • Opcode ID: 8b34f5fbba60183606cc67ad269d2bff897997b10f0a45e32e74d7b78f754ff6
                                                        • Instruction ID: 8f59d3ea329ccbef569b13d5a2e219825e78f0e85dcc19b69b40bfeef4af95d8
                                                        • Opcode Fuzzy Hash: 8b34f5fbba60183606cc67ad269d2bff897997b10f0a45e32e74d7b78f754ff6
                                                        • Instruction Fuzzy Hash: 66316D75300302AFDB509FA1CC99F2B77A8EF94B02F04451DFA05A7290DB78DD098BA5
                                                        APIs
                                                        • UnmapViewOfFile.KERNEL32(00000000,00000000,00000000,?,00000018,00000000,00000000,00000000,00000000,00000000,00000018,00000000,00000000,00000000,00000000,00000000), ref: 100226B0
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: FileUnmapView
                                                        • String ID:
                                                        • API String ID: 2564024751-0
                                                        • Opcode ID: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                        • Instruction ID: aca3888e1ced534dfb8bff30dc6f5772290e13aa398f14ea119e8b9ebb5f1563
                                                        • Opcode Fuzzy Hash: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                        • Instruction Fuzzy Hash: CED1AF75D40209FBEF219FE0EC46BDDBAB1EB09714F608115F6203A2E0C7B62A549F59
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 1001A976
                                                        • SelectObject.GDI32(00000000,00000000), ref: 1001A9E8
                                                        • SelectObject.GDI32(00000000,00000000), ref: 1001ABA2
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 1001ABFD
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ObjectSelect$Release
                                                        • String ID:
                                                        • API String ID: 3581861777-0
                                                        • Opcode ID: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                        • Instruction ID: 0a28f281d22c81f76b667070ee8f4b39c3514b9b46e69f88ae8cd14bf3a1b365
                                                        • Opcode Fuzzy Hash: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                        • Instruction Fuzzy Hash: 2B9116B0D40309EBDF01EF81DC86BAEBBB1EB0A715F005015F6187A290D3B69691CF96
                                                        APIs
                                                        • GetWindow.USER32(?,00000005), ref: 1001A773
                                                        • IsWindowVisible.USER32(00000000), ref: 1001A7AC
                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 1001A7E9
                                                        • GetWindow.USER32(00000000,00000002), ref: 1001A872
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Window$ProcessThreadVisible
                                                        • String ID:
                                                        • API String ID: 569392824-0
                                                        • Opcode ID: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                        • Instruction ID: 356be4359fdaef5b37944779847d5b641f80ef076249e3ad3302764c89b6051f
                                                        • Opcode Fuzzy Hash: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                        • Instruction Fuzzy Hash: 284105B4D40219EBEB40EF90DC87BAEFBB0FB06711F105065E5097E190E7B19A90CB96
                                                        APIs
                                                        • ReleaseMutex.KERNEL32(?,?,10026B6B), ref: 100141AB
                                                        • NtClose.NTDLL(?), ref: 100141D7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: CloseMutexRelease
                                                        • String ID: `+Tw
                                                        • API String ID: 2985832019-1053621713
                                                        • Opcode ID: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                        • Instruction ID: 38ac61447b851c898caa1bdb063a432cf123be9b48bf26603be34453f4d11833
                                                        • Opcode Fuzzy Hash: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                        • Instruction Fuzzy Hash: 69F08CB0E41308F7DA00AF50DC03B7DBA30EB16751F105021FA087E0A0DBB29A659A9A
                                                        APIs
                                                        • GetFocus.USER32 ref: 004C3BCF
                                                        • GetWindowRect.USER32(?,?), ref: 004C3C26
                                                        • GetParent.USER32(?), ref: 004C3C36
                                                        • GetParent.USER32(?), ref: 004C3C69
                                                        • GlobalSize.KERNEL32(00000000), ref: 004C3CB3
                                                        • GlobalLock.KERNEL32(00000000), ref: 004C3CBB
                                                        • IsWindow.USER32(?), ref: 004C3CD4
                                                        • GetTopWindow.USER32(?), ref: 004C3D11
                                                        • GetWindow.USER32(00000000,00000002), ref: 004C3D2A
                                                        • SetParent.USER32(?,?), ref: 004C3D56
                                                        • SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 004C3DA1
                                                        • SendMessageA.USER32(?,00008076,00000000,00000000), ref: 004C3DB0
                                                        • GetParent.USER32(?), ref: 004C3DC3
                                                        • SendMessageA.USER32(?,00008004,00000000,00000000), ref: 004C3DDC
                                                        • GetWindowLongA.USER32(?,000000F0), ref: 004C3DE4
                                                        • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C3E14
                                                        • SendMessageA.USER32(?,0000130C,00000000,00000000), ref: 004C3E22
                                                        • IsWindow.USER32(?), ref: 004C3E6E
                                                        • GetFocus.USER32 ref: 004C3E78
                                                        • SetFocus.USER32(?,00000000), ref: 004C3E90
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 004C3E9B
                                                        • GlobalFree.KERNEL32(00000000), ref: 004C3EA2
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Window$MessageSend$GlobalParent$Focus$FreeLockLongRectSizeUnlock
                                                        • String ID:
                                                        • API String ID: 300820980-0
                                                        • Opcode ID: a5e06cfc1a4b0c2b4fcf7307385b7f67ed5954e414faedcd3d11cb8bf83cb7da
                                                        • Instruction ID: a8dbba72d25d691889d15e2c3ac1096b02a44a277ded0c3e1f79c9fae5ddd12a
                                                        • Opcode Fuzzy Hash: a5e06cfc1a4b0c2b4fcf7307385b7f67ed5954e414faedcd3d11cb8bf83cb7da
                                                        • Instruction Fuzzy Hash: FFA18A75204701AFD760EF69CC88F6BB7E8BB88701F108A1DFA4297391DB78E9058B55
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(?), ref: 10029652
                                                        • LoadLibraryA.KERNEL32(?), ref: 1002965F
                                                        • wsprintfA.USER32 ref: 10029676
                                                        • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002968C
                                                          • Part of subcall function 10027B10: ExitProcess.KERNEL32 ref: 10027B25
                                                        • atoi.MSVCRT(?), ref: 100296CB
                                                        • strchr.MSVCRT ref: 10029703
                                                        • GetProcAddress.KERNEL32(00000000,00000040), ref: 10029721
                                                        • wsprintfA.USER32 ref: 10029739
                                                        • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002974F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
                                                        • String ID: DLL ERROR
                                                        • API String ID: 3187504500-4092134112
                                                        • Opcode ID: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                        • Instruction ID: 2d8d4974cead62a1b0d3c1b872151993aa02a2f76add0cb6c4d459240c98e11b
                                                        • Opcode Fuzzy Hash: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                        • Instruction Fuzzy Hash: 7E3139B26003529BE310EF74AC94F9BB7D8EB85340F904929FB09D3241EB75E919C7A5
                                                        APIs
                                                        • ??2@YAPAXI@Z.MSVCRT(?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000001), ref: 10028E9E
                                                        • strrchr.MSVCRT ref: 10028EC7
                                                        • RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 10028EE0
                                                        • ??2@YAPAXI@Z.MSVCRT ref: 10028F03
                                                        • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,80000004,00000000,00000000,00000000), ref: 10028F26
                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F34
                                                        • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F3E
                                                        • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000), ref: 10028F5B
                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F8A
                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000), ref: 10028F97
                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F9E
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
                                                        • String ID:
                                                        • API String ID: 1380196384-0
                                                        • Opcode ID: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                        • Instruction ID: 11253f6a850e8c32f07a3e9f8fa5c0c7ac66a22cffc6c79301f50e11ea2e9c0e
                                                        • Opcode Fuzzy Hash: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                        • Instruction Fuzzy Hash: 304126792003055BE344DA78EC45E2B77D9EFC2660F950A2DF915C3281EE75EE0983A2
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00533932,?,Microsoft Visual C++ Runtime Library,00012010,?,007C9F0C,?,007C9F5C,?,?,?,Runtime Error!Program: ), ref: 0053AFC7
                                                        • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0053AFDF
                                                        • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0053AFF0
                                                        • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0053AFFD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$LibraryLoad
                                                        • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                        • API String ID: 2238633743-4044615076
                                                        • Opcode ID: 604af9be48b74d6b37cba5a06dcc955a4dab07b5c7217c3233dd45b2da2f4d19
                                                        • Instruction ID: 83631bafcea997934691c960369491d56e8dcc973292f11984044307f5a8ba43
                                                        • Opcode Fuzzy Hash: 604af9be48b74d6b37cba5a06dcc955a4dab07b5c7217c3233dd45b2da2f4d19
                                                        • Instruction Fuzzy Hash: D301B5716003037F97209FB5AC8CA6B3FA8B758781F04442DE255C2060DB78C856DB61
                                                        APIs
                                                        • LCMapStringW.KERNEL32(00000000,00000100,007CA19C,00000001,00000000,00000000,76F8E860,0082CD44,?,?,?,0052F4AD,?,?,?,00000000), ref: 00536D76
                                                        • LCMapStringA.KERNEL32(00000000,00000100,007CA198,00000001,00000000,00000000,?,?,0052F4AD,?,?,?,00000000,00000001), ref: 00536D92
                                                        • LCMapStringA.KERNEL32(?,?,?,0052F4AD,?,?,76F8E860,0082CD44,?,?,?,0052F4AD,?,?,?,00000000), ref: 00536DDB
                                                        • MultiByteToWideChar.KERNEL32(?,0082CD45,?,0052F4AD,00000000,00000000,76F8E860,0082CD44,?,?,?,0052F4AD,?,?,?,00000000), ref: 00536E13
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,0052F4AD,?,00000000,?,?,0052F4AD,?), ref: 00536E6B
                                                        • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0052F4AD,?), ref: 00536E81
                                                        • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0052F4AD,?), ref: 00536EB4
                                                        • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0052F4AD,?), ref: 00536F1C
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: String$ByteCharMultiWide
                                                        • String ID:
                                                        • API String ID: 352835431-0
                                                        • Opcode ID: 23665512dbc1f0ee129b62cbf3537f722d825c4c217663448522a86d3a7c14c8
                                                        • Instruction ID: a17342d906475ba4ccb1d5677064555128497c3fa172171605df527d89ef9089
                                                        • Opcode Fuzzy Hash: 23665512dbc1f0ee129b62cbf3537f722d825c4c217663448522a86d3a7c14c8
                                                        • Instruction Fuzzy Hash: 90514632A00649BFCF228F94DC45EAF7FB9FB49754F248519F915A21A0D3328D24EB60
                                                        APIs
                                                        • CreatePopupMenu.USER32 ref: 004D124E
                                                        • AppendMenuA.USER32(?,?,00000000,?), ref: 004D13B1
                                                        • AppendMenuA.USER32(?,00000000,00000000,?), ref: 004D13E9
                                                        • ModifyMenuA.USER32(?,00000000,00000000,00000000,00000000), ref: 004D1407
                                                        • AppendMenuA.USER32(?,?,00000000,?), ref: 004D1465
                                                        • ModifyMenuA.USER32(?,?,?,?,?), ref: 004D148A
                                                        • AppendMenuA.USER32(?,?,?,?), ref: 004D14D2
                                                        • ModifyMenuA.USER32(?,?,?,?,?), ref: 004D14F7
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Menu$Append$Modify$CreatePopup
                                                        • String ID:
                                                        • API String ID: 3846898120-0
                                                        • Opcode ID: 4252469768366250099115f08a61241e952fe1ffa5309e5116c893b2703b2250
                                                        • Instruction ID: 91493e1bdffcaf6dc66c684a410da80f2d6e80719b3538bdff69fe5517fa1f35
                                                        • Opcode Fuzzy Hash: 4252469768366250099115f08a61241e952fe1ffa5309e5116c893b2703b2250
                                                        • Instruction Fuzzy Hash: 4BD187B1A04310ABD714DF18C894A6BBBE4FF89714F04452EFC8997361D779AD01CBA6
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0053387B
                                                        • GetStdHandle.KERNEL32(000000F4,007C9F0C,00000000,00000000,00000000,?), ref: 00533951
                                                        • WriteFile.KERNEL32(00000000), ref: 00533958
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: File$HandleModuleNameWrite
                                                        • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                        • API String ID: 3784150691-4022980321
                                                        • Opcode ID: 39f9735ca91d60f41570321e6ef46a0dab1f2a023fb08d5050bddd71bcc139b6
                                                        • Instruction ID: 72515ddb0692610db4a7505e1d49e372bb292cf5a690d6a1b86e6c6776ab662d
                                                        • Opcode Fuzzy Hash: 39f9735ca91d60f41570321e6ef46a0dab1f2a023fb08d5050bddd71bcc139b6
                                                        • Instruction Fuzzy Hash: BA31A6B2A01219BFEF20DA60CC49FDA7B7CFB89740F50055EF645E6091D6B4AA44CB51
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: %I64d$%lf
                                                        • API String ID: 0-1545097854
                                                        • Opcode ID: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                        • Instruction ID: a68653634a99df22c50c27c61c92b13d05d716d03379e836d9a088690611f418
                                                        • Opcode Fuzzy Hash: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                        • Instruction Fuzzy Hash: 0F516C7A5052424BD738D524BC85AEF73C4EBC0310FE08A2EFA59D21D1DE79DE458392
                                                        APIs
                                                        • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052D78E), ref: 00533262
                                                        • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052D78E), ref: 00533276
                                                        • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052D78E), ref: 005332A2
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052D78E), ref: 005332DA
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052D78E), ref: 005332FC
                                                        • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0052D78E), ref: 00533315
                                                        • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052D78E), ref: 00533328
                                                        • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00533366
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                        • String ID:
                                                        • API String ID: 1823725401-0
                                                        • Opcode ID: 2dc31ee5f9dde6b73461f66eda9cec09d5fece40f736755a31cb8567cf034021
                                                        • Instruction ID: 8c6ccf067f4a9912778e7e44cb1990fb55bac82363fd60b951cc700d1dbe58f8
                                                        • Opcode Fuzzy Hash: 2dc31ee5f9dde6b73461f66eda9cec09d5fece40f736755a31cb8567cf034021
                                                        • Instruction Fuzzy Hash: 0931D2725082A5AFDB307FB89CC887BBF9CFA45358F254D29F546C3151EE218E85C2A1
                                                        APIs
                                                        • IsWindow.USER32(?), ref: 004C036D
                                                        • GetParent.USER32(?), ref: 004C037F
                                                        • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C03A7
                                                        • GetWindowRect.USER32(?,?), ref: 004C0431
                                                        • InvalidateRect.USER32(?,?,00000001,?), ref: 004C0454
                                                        • GetWindowRect.USER32(?,?), ref: 004C061C
                                                        • InvalidateRect.USER32(?,?,00000001,?), ref: 004C063D
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Rect$Window$Invalidate$MessageParentSend
                                                        • String ID:
                                                        • API String ID: 236041146-0
                                                        • Opcode ID: 81d391b1a723e09b9c18cc64043a067ec70dd673582f5b40f8d30b79793eff16
                                                        • Instruction ID: 4b688611f461f8368dac4805b52eac4689abec9f88679de377be81876f2b3777
                                                        • Opcode Fuzzy Hash: 81d391b1a723e09b9c18cc64043a067ec70dd673582f5b40f8d30b79793eff16
                                                        • Instruction Fuzzy Hash: AD910435A003119BCB64EF24C855FAB77E8AF84758F08061DFD459B391EB38ED058B99
                                                        APIs
                                                        • GetStringTypeW.KERNEL32(00000001,007CA19C,00000001,?,76F8E860,0082CD44,?,?,0052F4AD,?,?,?,00000000,00000001), ref: 0053A547
                                                        • GetStringTypeA.KERNEL32(00000000,00000001,007CA198,00000001,?,?,0052F4AD,?,?,?,00000000,00000001), ref: 0053A561
                                                        • GetStringTypeA.KERNEL32(?,?,?,?,0052F4AD,76F8E860,0082CD44,?,?,0052F4AD,?,?,?,00000000,00000001), ref: 0053A595
                                                        • MultiByteToWideChar.KERNEL32(?,0082CD45,?,?,00000000,00000000,76F8E860,0082CD44,?,?,0052F4AD,?,?,?,00000000,00000001), ref: 0053A5CD
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0052F4AD,?), ref: 0053A623
                                                        • GetStringTypeW.KERNEL32(?,?,00000000,0052F4AD,?,?,?,?,?,?,0052F4AD,?), ref: 0053A635
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: StringType$ByteCharMultiWide
                                                        • String ID:
                                                        • API String ID: 3852931651-0
                                                        • Opcode ID: b82b0b397491a525da78d297f98bfb768413547d44694bdd85a965ef04cf11ec
                                                        • Instruction ID: 4b871046686aa4e8ec8d6391d9ae35cc721373a51036e5664877b65ab473ea0f
                                                        • Opcode Fuzzy Hash: b82b0b397491a525da78d297f98bfb768413547d44694bdd85a965ef04cf11ec
                                                        • Instruction Fuzzy Hash: 4541AD72A00219EFCF218F94DC86EAF3F79FB18751F144929F952E61A0D3318951DBA2
                                                        APIs
                                                        • TlsGetValue.KERNEL32(00828A84,00828A74,00000000,?,00828A84,?,005497E7,00828A74,00000000,?,00000000,005491FE,00548AED,0054921A,00544621,005458C6), ref: 0054958A
                                                        • EnterCriticalSection.KERNEL32(00828AA0,00000010,?,00828A84,?,005497E7,00828A74,00000000,?,00000000,005491FE,00548AED,0054921A,00544621,005458C6), ref: 005495D9
                                                        • LeaveCriticalSection.KERNEL32(00828AA0,00000000,?,00828A84,?,005497E7,00828A74,00000000,?,00000000,005491FE,00548AED,0054921A,00544621,005458C6), ref: 005495EC
                                                        • LocalAlloc.KERNEL32(00000000,00000004,?,00828A84,?,005497E7,00828A74,00000000,?,00000000,005491FE,00548AED,0054921A,00544621,005458C6), ref: 00549602
                                                        • LocalReAlloc.KERNEL32(?,00000004,00000002,?,00828A84,?,005497E7,00828A74,00000000,?,00000000,005491FE,00548AED,0054921A,00544621,005458C6), ref: 00549614
                                                        • TlsSetValue.KERNEL32(00828A84,00000000), ref: 00549650
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: AllocCriticalLocalSectionValue$EnterLeave
                                                        • String ID:
                                                        • API String ID: 4117633390-0
                                                        • Opcode ID: 09c08a3a4eb80fab8db2f2d42db08bcd85555a3e9850e7eec76cd9f337a95e60
                                                        • Instruction ID: a7d4a0411247d9e6807448b3e7392d0ea296d93a679dda7803eac46a40298901
                                                        • Opcode Fuzzy Hash: 09c08a3a4eb80fab8db2f2d42db08bcd85555a3e9850e7eec76cd9f337a95e60
                                                        • Instruction Fuzzy Hash: 87319C71100605EFDB24CF25D89AFABBBB8FF45365F008518E416C7680DB70E809CB61
                                                        APIs
                                                        • GetVersionExA.KERNEL32 ref: 0053364F
                                                        • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00533684
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 005336E4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: EnvironmentFileModuleNameVariableVersion
                                                        • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                        • API String ID: 1385375860-4131005785
                                                        • Opcode ID: b607b6ef8efe049945f403024f125693ff9173641362d9219b2631418e714a53
                                                        • Instruction ID: 4dfd56f8853c037a5b2d345562e560861c3106079beb8ae4064598f65af0b585
                                                        • Opcode Fuzzy Hash: b607b6ef8efe049945f403024f125693ff9173641362d9219b2631418e714a53
                                                        • Instruction Fuzzy Hash: 93314BF19052587DEB3187706C9ABED3F68FB16704F2404E9D185D6182E6309FCACB21
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4c36edf7d12d1314a1372e16590304161adf48fd620d786af74f75f48fd59d46
                                                        • Instruction ID: be20e0895d428c32d52cb7b0394377f42a385b24d5d24aefee517c605bd2803a
                                                        • Opcode Fuzzy Hash: 4c36edf7d12d1314a1372e16590304161adf48fd620d786af74f75f48fd59d46
                                                        • Instruction Fuzzy Hash: F6C1C675904602AFC350DF24D881EAFB7E9EF94348F44492EF84697351E738F9068BA6
                                                        APIs
                                                        • GetStartupInfoA.KERNEL32(?), ref: 005333D7
                                                        • GetFileType.KERNEL32(?,?,00000000), ref: 00533482
                                                        • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 005334E5
                                                        • GetFileType.KERNEL32(00000000,?,00000000), ref: 005334F3
                                                        • SetHandleCount.KERNEL32 ref: 0053352A
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: FileHandleType$CountInfoStartup
                                                        • String ID:
                                                        • API String ID: 1710529072-0
                                                        • Opcode ID: d6e37824fc1fcd17a0ba4b0e5ba39c154400018abfcd94fd87971b40fcb334b9
                                                        • Instruction ID: 58de3ddd0e2e92e51d2a0d253fc6a8bed5239909a434a31a5e8bb727088a362d
                                                        • Opcode Fuzzy Hash: d6e37824fc1fcd17a0ba4b0e5ba39c154400018abfcd94fd87971b40fcb334b9
                                                        • Instruction Fuzzy Hash: A15102319042118FCB21CF78D89CA697FE0BF51328F298B68D5A2CB2E1D731DA4AD750
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Menu$Destroy$AcceleratorTableWindow
                                                        • String ID:
                                                        • API String ID: 1240299919-0
                                                        • Opcode ID: 9b1d58f53bbe6370dbf0b6d65112e3aea7c1c26efba9697c471bf99ff4dec6e5
                                                        • Instruction ID: e8fca324fd41ac75f5667996a263c3a063f1a6c87b33762e55e35c0cab08daa7
                                                        • Opcode Fuzzy Hash: 9b1d58f53bbe6370dbf0b6d65112e3aea7c1c26efba9697c471bf99ff4dec6e5
                                                        • Instruction Fuzzy Hash: 7C31D8B5600306AFC720EF65DC44EAB77A9EF84355F06852DFD0597252EA38E809CBB0
                                                        APIs
                                                        • GetLastError.KERNEL32(00000103,7FFFFFFF,0052FAA2,005323B7,00000000,?,?,00000000,00000001), ref: 0053359E
                                                        • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 005335AC
                                                        • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 005335F8
                                                          • Part of subcall function 0052FE96: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,005335C1,00000001,00000074,?,?,00000000,00000001), ref: 0052FF8C
                                                        • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 005335D0
                                                        • GetCurrentThreadId.KERNEL32 ref: 005335E1
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                        • String ID:
                                                        • API String ID: 2020098873-0
                                                        • Opcode ID: bc7cd2e637902eaac407db08a1f109314cb19395c12542a2cb2172fe85cf5b20
                                                        • Instruction ID: 438d8a4e05a95baa21e12208a53bddc31b6c13d54156d796b313c472ae853cc2
                                                        • Opcode Fuzzy Hash: bc7cd2e637902eaac407db08a1f109314cb19395c12542a2cb2172fe85cf5b20
                                                        • Instruction Fuzzy Hash: E2F09036601722ABD7322B70BC1E6593F64FF517B3F214629F581DA1E0CF248A4596A1
                                                        APIs
                                                        • wsprintfA.USER32 ref: 10027B78
                                                        • MessageBoxA.USER32(00000000,?,error,00000010), ref: 10027B8F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: Messagewsprintf
                                                        • String ID: error$program internal error number is %d. %s
                                                        • API String ID: 300413163-3752934751
                                                        • Opcode ID: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                        • Instruction ID: e1549d366f44cd83cf328da68a9c66535f66093051f9031b2c984319b6cde580
                                                        • Opcode Fuzzy Hash: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                        • Instruction Fuzzy Hash: B9E092755002006BE344EBA4ECAAFAA33A8E708701FC0085EF34981180EBB1A9548616
                                                        APIs
                                                        • HeapAlloc.KERNEL32(00000000,00002020,007EADD0,007EADD0,?,?,00538058,00000000,00000010,00000000,00000009,00000009,?,0052F0E1,00000010,00000000), ref: 00537BAD
                                                        • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00538058,00000000,00000010,00000000,00000009,00000009,?,0052F0E1,00000010,00000000), ref: 00537BD1
                                                        • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00538058,00000000,00000010,00000000,00000009,00000009,?,0052F0E1,00000010,00000000), ref: 00537BEB
                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00538058,00000000,00000010,00000000,00000009,00000009,?,0052F0E1,00000010,00000000,?), ref: 00537CAC
                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,00538058,00000000,00000010,00000000,00000009,00000009,?,0052F0E1,00000010,00000000,?,00000000), ref: 00537CC3
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual$FreeHeap
                                                        • String ID:
                                                        • API String ID: 714016831-0
                                                        • Opcode ID: be17aa462f055b61432a0e776fc9fac0b8f745695e918528d87bf5a2ab635a17
                                                        • Instruction ID: 1512858f030f1cc50898cefec8b6d809c31302b4ce8c375ac6474d5aef16df46
                                                        • Opcode Fuzzy Hash: be17aa462f055b61432a0e776fc9fac0b8f745695e918528d87bf5a2ab635a17
                                                        • Instruction Fuzzy Hash: B03122B0A4170EAFD330CF24EC44B21BBE0FB88756F108A39E4559B690E738AC40DB49
                                                        APIs
                                                        • IsWindow.USER32(00000000), ref: 004C25E4
                                                        • GetParent.USER32(00000000), ref: 004C2634
                                                        • IsWindow.USER32(?), ref: 004C2654
                                                        • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 004C26CF
                                                          • Part of subcall function 00543C8A: ShowWindow.USER32(?,?,004C064C,00000000), ref: 00543C98
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Window$ParentShow
                                                        • String ID:
                                                        • API String ID: 2052805569-0
                                                        • Opcode ID: 1b81bce4c9786c850dedb856b074b5a48fab155c1fc0002ee67d46a371345eb3
                                                        • Instruction ID: 8ac86f44b0dfbc81cd7dff368f2bdedc3af9632bde344600e6b833a7384d89f0
                                                        • Opcode Fuzzy Hash: 1b81bce4c9786c850dedb856b074b5a48fab155c1fc0002ee67d46a371345eb3
                                                        • Instruction Fuzzy Hash: E941AD7A700301ABD760DE259E81FABB398AF84754F04052EFD449B381D7F8ED048BA9
                                                        APIs
                                                        • malloc.MSVCRT ref: 10029FB3
                                                        • LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,?,?,000009DC,00000000,?,10028774,00000001,?), ref: 10029FE7
                                                        • free.MSVCRT ref: 10029FF6
                                                        • free.MSVCRT ref: 1002A014
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: free$Stringmalloc
                                                        • String ID:
                                                        • API String ID: 3576809655-0
                                                        • Opcode ID: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                        • Instruction ID: fe1f6c240ce4a888f48c4ee73cb5f64fbc811d22bf13276520b53d25543597c8
                                                        • Opcode Fuzzy Hash: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                        • Instruction Fuzzy Hash: 2311D27A2042042BD348DA78AC45E7BB3D9DBC5265FA0463EF226D22C1EE71ED094365
                                                        APIs
                                                        • GetVersion.KERNEL32 ref: 0052D71E
                                                          • Part of subcall function 00533778: HeapCreate.KERNEL32(00000000,00001000,00000000,0052D756,00000001), ref: 00533789
                                                          • Part of subcall function 00533778: HeapDestroy.KERNEL32 ref: 005337C8
                                                        • GetCommandLineA.KERNEL32 ref: 0052D77E
                                                        • GetStartupInfoA.KERNEL32(?), ref: 0052D7A9
                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0052D7CC
                                                          • Part of subcall function 0052D825: ExitProcess.KERNEL32 ref: 0052D842
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                        • String ID:
                                                        • API String ID: 2057626494-0
                                                        • Opcode ID: a9d3cb18c2b0d4bc339142cb5379fc00e6153457ac4b2cd76e06d38325266801
                                                        • Instruction ID: a300a1a9f8e61b3cd7f203f117430a3f505f1bf0aed6d603872cb569d37a6f3d
                                                        • Opcode Fuzzy Hash: a9d3cb18c2b0d4bc339142cb5379fc00e6153457ac4b2cd76e06d38325266801
                                                        • Instruction Fuzzy Hash: B121A2B1840756EEDB18AFB4EC4AB6E7FB8FF44B10F144519F8019A2A1DB748941CB60
                                                        APIs
                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000020,00000000,00000000,00000000,80000005), ref: 10028DC8
                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9), ref: 10028E07
                                                        • CloseHandle.KERNEL32(00000000,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E1A
                                                        • CloseHandle.KERNEL32(00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E35
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2632134247.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10000000_215.jbxd
                                                        Similarity
                                                        • API ID: CloseFileHandle$CreateWrite
                                                        • String ID:
                                                        • API String ID: 3602564925-0
                                                        • Opcode ID: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                        • Instruction ID: f6076fed0b983a52129b8cb4bf2c1cdfe7202da6017c1e667b93af5c44e6f27f
                                                        • Opcode Fuzzy Hash: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                        • Instruction Fuzzy Hash: 39118E36201301ABE710DF18ECC5F6BB7E8FB84714F550919FA6497290D370E90E8B66
                                                        APIs
                                                        • GetCPInfo.KERNEL32(?,00000000), ref: 00532903
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: Info
                                                        • String ID: $
                                                        • API String ID: 1807457897-3032137957
                                                        • Opcode ID: 8c1aaf76b25d6f05240ea32e0cbc6f725ae848651f37e42dfbfab02a40d5dc74
                                                        • Instruction ID: de92fe829f0f1edb44424a76e541e6a8fc962380dae01e6f80e4342a2145f488
                                                        • Opcode Fuzzy Hash: 8c1aaf76b25d6f05240ea32e0cbc6f725ae848651f37e42dfbfab02a40d5dc74
                                                        • Instruction Fuzzy Hash: BC4148311047985FEB229724DD59BFB7FA9FB05700F1404E5E68ADB1A3C2F18A44DBA2
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00545966
                                                          • Part of subcall function 005452CB: __EH_prolog.LIBCMT ref: 005452D0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: H_prolog
                                                        • String ID: V5 $x|
                                                        • API String ID: 3519838083-3630372689
                                                        • Opcode ID: 555ab13e2bbad6c2cdc8b8d1ea9823813a41a07655c1732318872c572c2091ed
                                                        • Instruction ID: cba2a82ca3d7b513f2792b4cccc879df71892ef8a09cf04e0403c2182225a4f9
                                                        • Opcode Fuzzy Hash: 555ab13e2bbad6c2cdc8b8d1ea9823813a41a07655c1732318872c572c2091ed
                                                        • Instruction Fuzzy Hash: 0FF0C871A44B01EBDB25AF64844FBDD7BF0BB44368F10852EB502A71C2DB748A04CB14
                                                        APIs
                                                        • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,005374B2,00000000,00000000,00000000,0052F083,00000000,00000000,?,00000000,00000000,00000000), ref: 00537712
                                                        • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,005374B2,00000000,00000000,00000000,0052F083,00000000,00000000,?,00000000,00000000,00000000), ref: 00537746
                                                        • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00537760
                                                        • HeapFree.KERNEL32(00000000,?), ref: 00537777
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: AllocHeap$FreeVirtual
                                                        • String ID:
                                                        • API String ID: 3499195154-0
                                                        • Opcode ID: 08594dd17b18ef06082ac5740638665e31d113129a95d4f8ea61ba918e90c519
                                                        • Instruction ID: 6e6c8bc331cad8672b451f52f58439a2b3a277a77febbd8b84755b904e484f80
                                                        • Opcode Fuzzy Hash: 08594dd17b18ef06082ac5740638665e31d113129a95d4f8ea61ba918e90c519
                                                        • Instruction Fuzzy Hash: 53113670640741AFC7318F19EC8593A7FB6FB997A1B208A29F162D65B0C371A846DF40
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(00828C38,?,00000000,?,?,0054982D,00000010,?,00000000,?,?,?,00549214,00549277,00548AED,0054921A), ref: 0054A4F7
                                                        • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0054982D,00000010,?,00000000,?,?,?,00549214,00549277,00548AED,0054921A), ref: 0054A509
                                                        • LeaveCriticalSection.KERNEL32(00828C38,?,00000000,?,?,0054982D,00000010,?,00000000,?,?,?,00549214,00549277,00548AED,0054921A), ref: 0054A512
                                                        • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0054982D,00000010,?,00000000,?,?,?,00549214,00549277,00548AED,0054921A,00544621), ref: 0054A524
                                                          • Part of subcall function 0054A429: GetVersion.KERNEL32(?,0054A4CC,?,0054982D,00000010,?,00000000,?,?,?,00549214,00549277,00548AED,0054921A,00544621,005458C6), ref: 0054A43C
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$Enter$InitializeLeaveVersion
                                                        • String ID:
                                                        • API String ID: 1193629340-0
                                                        • Opcode ID: eeb8bb5024f9acf617f97ddcae4ce853d8abeed9d9bbde64eb01bfc1e8be555a
                                                        • Instruction ID: 66a79f6d3ff27fe97ba174377005ca2acb28d143e90104df70ef8b62568763b0
                                                        • Opcode Fuzzy Hash: eeb8bb5024f9acf617f97ddcae4ce853d8abeed9d9bbde64eb01bfc1e8be555a
                                                        • Instruction Fuzzy Hash: 4DF0C83544330ADFCF60DF94FC98996B76CFB7031BB00442AE20583061EB30A44BCAA1
                                                        APIs
                                                        • InitializeCriticalSection.KERNEL32(?,0053353B,?,0052D768), ref: 00535E18
                                                        • InitializeCriticalSection.KERNEL32(?,0053353B,?,0052D768), ref: 00535E20
                                                        • InitializeCriticalSection.KERNEL32(?,0053353B,?,0052D768), ref: 00535E28
                                                        • InitializeCriticalSection.KERNEL32(?,0053353B,?,0052D768), ref: 00535E30
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2627995395.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.2627972610.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628115325.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628452361.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628482795.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628510194.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628615775.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628636910.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628684737.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628730550.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628754532.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000004.00000002.2628956131.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_215.jbxd
                                                        Similarity
                                                        • API ID: CriticalInitializeSection
                                                        • String ID:
                                                        • API String ID: 32694325-0
                                                        • Opcode ID: b47d094a598671442320a0e7a37f87d8b3c70ec60b0162c471f1b67a473be826
                                                        • Instruction ID: f09b7e46a3944a21f6efb323c7c42375265d9e7b4a21461fe96da00fa37f67c0
                                                        • Opcode Fuzzy Hash: b47d094a598671442320a0e7a37f87d8b3c70ec60b0162c471f1b67a473be826
                                                        • Instruction Fuzzy Hash: 71C002719021B4FBCA512B55FE89C463F67EB1C261301C077A1045D470862E2C50EFD6