Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
S17.exe

Overview

General Information

Sample name:S17.exe
Analysis ID:1582393
MD5:6a10c76e5b4d264ea9584ed40413cea6
SHA1:9d863add57eaab21248351b77390d0a405c748a6
SHA256:b023eda70faaa0d8abb6e74feab481449ba108f0e266b36dd77a774e5af9bbec
Tags:exemalwaretrojanuser-Joker
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Renames NTDLL to bypass HIPS
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables driver privileges
Enables security privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

  • System is w10x64
  • S17.exe (PID: 6232 cmdline: "C:\Users\user\Desktop\S17.exe" MD5: 6A10C76E5B4D264EA9584ED40413CEA6)
  • S17.exe (PID: 5888 cmdline: "C:\Users\user\Desktop\S17.exe" MD5: 6A10C76E5B4D264EA9584ED40413CEA6)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: S17.exe PID: 6232JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    Process Memory Space: S17.exe PID: 5888JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\S17.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\S17.exe, ProcessId: 6232, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: C:\Users\user\Desktop\QQWER.dllReversingLabs: Detection: 73%
      Source: S17.exeReversingLabs: Detection: 60%
      Source: C:\Users\user\Desktop\QQWER.dllJoe Sandbox ML: detected
      Source: S17.exeJoe Sandbox ML: detected

      Compliance

      barindex
      Source: C:\Users\user\Desktop\S17.exeUnpacked PE file: 0.2.S17.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\S17.exeUnpacked PE file: 5.2.S17.exe.10000000.2.unpack
      Source: S17.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: Binary string: devco n.pdbo source: S17.exe
      Source: Binary string: wntdll.pdbUGP source: S17.exe, 00000000.00000003.1686291864.00000000028EC000.00000004.00000020.00020000.00000000.sdmp, S17.exe, 00000000.00000002.2929726376.0000000002A98000.00000040.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000002.2929709601.0000000002BBB000.00000040.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000003.2111123893.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, 5504c5.tmp.5.dr, 545ee0.tmp.0.dr
      Source: Binary string: wntdll.pdb source: S17.exe, 00000000.00000003.1686291864.00000000028EC000.00000004.00000020.00020000.00000000.sdmp, S17.exe, 00000000.00000002.2929726376.0000000002A98000.00000040.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000002.2929709601.0000000002BBB000.00000040.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000003.2111123893.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, 5504c5.tmp.5.dr, 545ee0.tmp.0.dr
      Source: Binary string: DrvInDM U.pdbe source: S17.exe
      Source: Binary string: wuser32.pdb source: S17.exe, 00000000.00000003.1687015370.00000000028E8000.00000004.00000020.00020000.00000000.sdmp, S17.exe, 00000000.00000002.2929904718.0000000002C40000.00000040.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000002.2929886978.0000000002D71000.00000040.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000003.2111915302.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, 545f4d.tmp.0.dr, 550542.tmp.5.dr
      Source: Binary string: devc@on.pdb source: S17.exe
      Source: Binary string: wuser32.pdbUGP source: S17.exe, 00000000.00000003.1687015370.00000000028E8000.00000004.00000020.00020000.00000000.sdmp, S17.exe, 00000000.00000002.2929904718.0000000002C40000.00000040.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000002.2929886978.0000000002D71000.00000040.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000003.2111915302.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, 545f4d.tmp.0.dr, 550542.tmp.5.dr
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A199
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018AD3
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018AD3
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018EEA
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_100193C2
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_100193C2
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10007FDD
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10018801
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10017804
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10011772
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10013C18
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10011C1A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A031
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10024C38
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006051
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006051
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001385A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10002461
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000F472
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1001847E
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10022882
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10025484
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10025484
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_10006495
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006C96
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10014096
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10014096
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FCB0
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_100198CC
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100188E1
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A4E7
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1000210D
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1000210D
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_1000B90D
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10003116
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017D41
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017D41
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FD4D
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10001D56
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10025977
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10010199
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001419C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001419C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008DA3
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100111A7
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007DB8
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp0_2_1001D1C4
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001D1C4
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_100259D9
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100189E6
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000FDEA
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100101FB
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10014203
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000B61E
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_1001221F
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_1001221F
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A236
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1001363D
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001363D
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008E40
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10011653
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10011653
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010255
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010255
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007E55
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_10007E55
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FA6F
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10022A80
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10011E89
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A6C7
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_10017ECA
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010AD6
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010AD6
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10008EDD
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001BADE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100246E4
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100236FF
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100236FF
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FF10
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008B27
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001BB29
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10015B34
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000833D
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp0_2_10012B40
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1000634E
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000B353
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10026356
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp0_2_1001DB5C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_1001DB5C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017B68
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10011772
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10024781
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10024781
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1002378A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1000A7A2
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100137A3
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000F7AC
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008BC4
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10013FC8
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007BCA
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10005FDA
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100253E7
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000B3F0
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1000710E
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1000710E
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp5_2_1000710E
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1000710E
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A199
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10018AD3
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10018AD3
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10018EEA
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_100193C2
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp5_2_100193C2
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10007FDD
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10018801
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_10017804
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10011772
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10013C18
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10011C1A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A031
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10024C38
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1001AC51
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1001AC51
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1001AC51
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10006051
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10006051
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001385A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10002461
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1000F472
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_1001847E
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10022882
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp5_2_10025484
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10025484
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_10006495
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10006C96
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10014096
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10014096
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_100024AC
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_100024AC
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_100024AC
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_100024AC
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000FCB0
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_100198CC
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_100188E1
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001A4E7
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1000210D
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1000210D
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp5_2_1000B90D
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10003116
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10017D41
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10017D41
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000FD4D
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_10001D56
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10025977
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10010199
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_1001419C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_1001419C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10008DA3
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_100111A7
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10007DB8
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_100151BD
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_100151BD
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_100151BD
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp5_2_1001D1C4
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1001D1C4
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_100259D9
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_100221E2
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_100221E2
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_100221E2
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_100221E2
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_100221E2
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_100189E6
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1000FDEA
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_100101FB
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_10014203
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1000B61E
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_1001221F
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_1001221F
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001A236
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1001363D
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001363D
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10008E40
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_10011653
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_10011653
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10010255
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10010255
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10007E55
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp5_2_10007E55
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000FA6F
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10022A80
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10011E89
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001A6C7
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_10017ECA
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10010AD6
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10010AD6
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp5_2_10008EDD
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_1001BADE
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_100246E4
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_100236FF
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_100236FF
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000FF10
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10008B27
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_1001BB29
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_10015B34
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000833D
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp5_2_10012B40
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_1000634E
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000B353
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_10026356
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp5_2_1001DB5C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_1001DB5C
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10017B68
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10011772
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp5_2_10024781
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10024781
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1002378A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1002378A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1002378A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1002378A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1002378A
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001BFA0
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001BFA0
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001BFA0
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp5_2_1001BFA0
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001BFA0
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_1000A7A2
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_100137A3
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000F7AC
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10008BC4
      Source: C:\Users\user\Desktop\S17.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10013FC8
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 192.144.128.212Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 192.144.128.212Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 192.144.128.212Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 192.144.128.212Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 192.144.128.212Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 192.144.128.212Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 192.144.128.212Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 192.144.128.212Cache-Control: no-cache
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: unknownTCP traffic detected without corresponding DNS query: 192.144.128.212
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 192.144.128.212Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 192.144.128.212Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 192.144.128.212Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 192.144.128.212Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 192.144.128.212Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 192.144.128.212Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 192.144.128.212Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 192.144.128.212Cache-Control: no-cache
      Source: S17.exe, 00000000.00000002.2928866357.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000002.2928855643.0000000000A85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.144.128.212/
      Source: S17.exeString found in binary or memory: http://192.144.128.212/%E5%AD%98%E6%A1%A3/
      Source: S17.exeString found in binary or memory: http://192.144.128.212/%E7%89%88%E6%9C%AC%E6%9B%B4%E6%96%B0.txt
      Source: S17.exeString found in binary or memory: http://192.144.128.212/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt
      Source: S17.exe, 00000000.00000002.2928866357.0000000000B7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.144.128.212/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt&
      Source: S17.exe, 00000000.00000002.2928866357.0000000000C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.144.128.212/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt8
      Source: S17.exe, 00000005.00000002.2928855643.0000000000A85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.144.128.212/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtf
      Source: S17.exeString found in binary or memory: http://192.144.128.212/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txthttp://192.144.128.212/123.txt
      Source: S17.exe, 00000000.00000002.2928866357.0000000000C06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.144.128.212//
      Source: S17.exeString found in binary or memory: http://192.144.128.212/123.txt
      Source: S17.exe, 00000005.00000002.2928855643.0000000000A85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.144.128.212/123.txt%
      Source: S17.exe, 00000000.00000002.2928866357.0000000000BEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.144.128.212/123.txtA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtmX8
      Source: S17.exe, 00000000.00000002.2928866357.0000000000BEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.144.128.212/123.txtIXD
      Source: S17.exe, 00000005.00000002.2928855643.0000000000A85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.144.128.212/123.txtQ
      Source: S17.exe, 00000005.00000002.2928855643.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.144.128.212/123.txtX
      Source: S17.exe, 00000005.00000002.2928855643.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.144.128.212/123.txtshqos.dll.muiX
      Source: S17.exe, 00000005.00000002.2928855643.0000000000A85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.144.128.212/123.txtt
      Source: S17.exe, 00000000.00000002.2928866357.0000000000BEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.144.128.212/123.txtt2XM
      Source: S17.exe, 00000005.00000002.2928855643.0000000000A85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.144.128.212/123.txtt3
      Source: S17.exe, 00000000.00000002.2928866357.0000000000C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.144.128.212/6
      Source: S17.exe, 00000005.00000002.2928855643.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.144.1Y
      Source: S17.exeString found in binary or memory: http://ocsp.t
      Source: S17.exeString found in binary or memory: http://sf.symc
      Source: S17.exeString found in binary or memory: http://ts-ocsp.ws.s
      Source: S17.exeString found in binary or memory: http://ts-ocsp.ws.symantec.
      Source: S17.exeString found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
      Source: S17.exeString found in binary or memory: https://ww(w.v
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,0_2_1001F2ED
      Source: S17.exe, 00000000.00000003.1687015370.00000000028E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_ee75fa6d-3
      Source: Yara matchFile source: Process Memory Space: S17.exe PID: 6232, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: S17.exe PID: 5888, type: MEMORYSTR
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_10007FDD NtClose,0_2_10007FDD
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_1001419C ReleaseMutex,NtClose,0_2_1001419C
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_1001221F NtClose,0_2_1001221F
      Source: C:\Users\user\Desktop\S17.exeCode function: 5_2_10007FDD NtClose,5_2_10007FDD
      Source: C:\Users\user\Desktop\S17.exeCode function: 5_2_1001419C ReleaseMutex,NtClose,5_2_1001419C
      Source: C:\Users\user\Desktop\S17.exeCode function: 5_2_1001221F NtClose,5_2_1001221F
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_100026280_2_10002628
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_100032EA0_2_100032EA
      Source: C:\Users\user\Desktop\S17.exeCode function: 5_2_100026285_2_10002628
      Source: C:\Users\user\Desktop\S17.exeCode function: 5_2_100032EA5_2_100032EA
      Source: C:\Users\user\Desktop\S17.exeProcess token adjusted: Load DriverJump to behavior
      Source: C:\Users\user\Desktop\S17.exeProcess token adjusted: SecurityJump to behavior
      Source: C:\Users\user\Desktop\S17.exeCode function: String function: 10029640 appears 130 times
      Source: 545ee0.tmp.0.drStatic PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
      Source: 5504c5.tmp.5.drStatic PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
      Source: 5504c5.tmp.5.drStatic PE information: No import functions for PE file found
      Source: 545ee0.tmp.0.drStatic PE information: No import functions for PE file found
      Source: S17.exe, 00000000.00000003.1687015370.00000000028E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs S17.exe
      Source: S17.exe, 00000000.00000002.2929904718.0000000002CE8000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs S17.exe
      Source: S17.exe, 00000000.00000003.1686291864.0000000002A0F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs S17.exe
      Source: S17.exe, 00000000.00000002.2929726376.0000000002BC5000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs S17.exe
      Source: S17.exe, 00000005.00000003.2111123893.0000000002B27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs S17.exe
      Source: S17.exe, 00000005.00000003.2111915302.0000000002A06000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs S17.exe
      Source: S17.exe, 00000005.00000002.2929709601.0000000002CE8000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs S17.exe
      Source: S17.exe, 00000005.00000002.2929886978.0000000002E19000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs S17.exe
      Source: S17.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: QQWER.dll.0.drStatic PE information: Section: .rsrc ZLIB complexity 1.0002780183550337
      Source: 545ee0.tmp.0.drBinary string: \Device\IPT[
      Source: classification engineClassification label: mal80.evad.winEXE@2/12@0/1
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_0040EE0D GetDiskFreeSpaceExA,0_2_0040EE0D
      Source: C:\Users\user\Desktop\S17.exeFile created: C:\Users\user\Desktop\QQWER.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeMutant created: NULL
      Source: C:\Users\user\Desktop\S17.exeFile created: C:\Users\user\AppData\Local\Temp\545ee0.tmpJump to behavior
      Source: S17.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\S17.exeFile read: C:\Users\user\Desktop\ .iniJump to behavior
      Source: C:\Users\user\Desktop\S17.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: S17.exeReversingLabs: Detection: 60%
      Source: unknownProcess created: C:\Users\user\Desktop\S17.exe "C:\Users\user\Desktop\S17.exe"
      Source: unknownProcess created: C:\Users\user\Desktop\S17.exe "C:\Users\user\Desktop\S17.exe"
      Source: C:\Users\user\Desktop\S17.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\S17.exeFile written: C:\Users\user\Desktop\ .iniJump to behavior
      Source: C:\Users\user\Desktop\S17.exeWindow detected: Number of UI elements: 27
      Source: S17.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: S17.exeStatic file information: File size 4947968 > 1048576
      Source: S17.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x13c000
      Source: S17.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x256000
      Source: S17.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x10d000
      Source: Binary string: devco n.pdbo source: S17.exe
      Source: Binary string: wntdll.pdbUGP source: S17.exe, 00000000.00000003.1686291864.00000000028EC000.00000004.00000020.00020000.00000000.sdmp, S17.exe, 00000000.00000002.2929726376.0000000002A98000.00000040.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000002.2929709601.0000000002BBB000.00000040.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000003.2111123893.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, 5504c5.tmp.5.dr, 545ee0.tmp.0.dr
      Source: Binary string: wntdll.pdb source: S17.exe, 00000000.00000003.1686291864.00000000028EC000.00000004.00000020.00020000.00000000.sdmp, S17.exe, 00000000.00000002.2929726376.0000000002A98000.00000040.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000002.2929709601.0000000002BBB000.00000040.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000003.2111123893.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, 5504c5.tmp.5.dr, 545ee0.tmp.0.dr
      Source: Binary string: DrvInDM U.pdbe source: S17.exe
      Source: Binary string: wuser32.pdb source: S17.exe, 00000000.00000003.1687015370.00000000028E8000.00000004.00000020.00020000.00000000.sdmp, S17.exe, 00000000.00000002.2929904718.0000000002C40000.00000040.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000002.2929886978.0000000002D71000.00000040.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000003.2111915302.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, 545f4d.tmp.0.dr, 550542.tmp.5.dr
      Source: Binary string: devc@on.pdb source: S17.exe
      Source: Binary string: wuser32.pdbUGP source: S17.exe, 00000000.00000003.1687015370.00000000028E8000.00000004.00000020.00020000.00000000.sdmp, S17.exe, 00000000.00000002.2929904718.0000000002C40000.00000040.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000002.2929886978.0000000002D71000.00000040.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000003.2111915302.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, 545f4d.tmp.0.dr, 550542.tmp.5.dr

      Data Obfuscation

      barindex
      Source: C:\Users\user\Desktop\S17.exeUnpacked PE file: 0.2.S17.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\S17.exeUnpacked PE file: 5.2.S17.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_004AC9A0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_004AC9A0
      Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
      Source: QQWER.dll.0.drStatic PE information: section name: .Upack
      Source: 545ee0.tmp.0.drStatic PE information: section name: RT
      Source: 545ee0.tmp.0.drStatic PE information: section name: .mrdata
      Source: 545ee0.tmp.0.drStatic PE information: section name: .00cfg
      Source: 545f4d.tmp.0.drStatic PE information: section name: .didat
      Source: 5504c5.tmp.5.drStatic PE information: section name: RT
      Source: 5504c5.tmp.5.drStatic PE information: section name: .mrdata
      Source: 5504c5.tmp.5.drStatic PE information: section name: .00cfg
      Source: 550542.tmp.5.drStatic PE information: section name: .didat
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_0051DD74 push eax; ret 0_2_0051DD92
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_0051BB00 push eax; ret 0_2_0051BB2E
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_1002C7F8 push edi; ret 0_2_1002C7FC
      Source: C:\Users\user\Desktop\S17.exeCode function: 5_2_0051DD74 push eax; ret 5_2_0051DD92
      Source: C:\Users\user\Desktop\S17.exeCode function: 5_2_0051BB00 push eax; ret 5_2_0051BB2E
      Source: C:\Users\user\Desktop\S17.exeCode function: 5_2_1002C7F8 push edi; ret 5_2_1002C7FC
      Source: QQWER.dll.0.drStatic PE information: section name: .rsrc entropy: 7.999713933191419
      Source: 545ee0.tmp.0.drStatic PE information: section name: .text entropy: 6.844715065913507
      Source: 5504c5.tmp.5.drStatic PE information: section name: .text entropy: 6.844715065913507
      Source: C:\Users\user\Desktop\S17.exeFile created: C:\Users\user\AppData\Local\Temp\545ee0.tmpJump to dropped file
      Source: C:\Users\user\Desktop\S17.exeFile created: C:\Users\user\AppData\Local\Temp\545f4d.tmpJump to dropped file
      Source: C:\Users\user\Desktop\S17.exeFile created: C:\Users\user\Desktop\QQWER.dllJump to dropped file
      Source: C:\Users\user\Desktop\S17.exeFile created: C:\Users\user\AppData\Local\Temp\550542.tmpJump to dropped file
      Source: C:\Users\user\Desktop\S17.exeFile created: C:\Users\user\AppData\Local\Temp\5504c5.tmpJump to dropped file
      Source: C:\Users\user\Desktop\S17.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Jump to behavior
      Source: C:\Users\user\Desktop\S17.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Jump to behavior
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,0_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeCode function: 5_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,5_2_1001F2ED
      Source: C:\Users\user\Desktop\S17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\S17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: C:\Users\user\Desktop\S17.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-22104
      Source: C:\Users\user\Desktop\S17.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\S17.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\545ee0.tmpJump to dropped file
      Source: C:\Users\user\Desktop\S17.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\545f4d.tmpJump to dropped file
      Source: C:\Users\user\Desktop\S17.exeDropped PE file which has not been started: C:\Users\user\Desktop\QQWER.dllJump to dropped file
      Source: C:\Users\user\Desktop\S17.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\550542.tmpJump to dropped file
      Source: C:\Users\user\Desktop\S17.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5504c5.tmpJump to dropped file
      Source: C:\Users\user\Desktop\S17.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\S17.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_1000710E GetVersionExA,GetSystemInfo,RtlGetNtVersionNumbers,0_2_1000710E
      Source: S17.exe, 00000005.00000002.2928855643.0000000000ABD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWw
      Source: S17.exe, 00000005.00000002.2928855643.0000000000A08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
      Source: S17.exe, 00000000.00000002.2928866357.0000000000C39000.00000004.00000020.00020000.00000000.sdmp, S17.exe, 00000000.00000002.2928866357.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp, S17.exe, 00000000.00000002.2928866357.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000002.2928855643.0000000000AB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Users\user\Desktop\S17.exeAPI call chain: ExitProcess graph end nodegraph_0-22218
      Source: C:\Users\user\Desktop\S17.exeAPI call chain: ExitProcess graph end nodegraph_5-22218
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_10004B1B LdrInitializeThunk,0_2_10004B1B
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_004AC9A0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_004AC9A0
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_1001A4C7 mov eax, dword ptr fs:[00000030h]0_2_1001A4C7
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_1000AE99 mov eax, dword ptr fs:[00000030h]0_2_1000AE99
      Source: C:\Users\user\Desktop\S17.exeCode function: 5_2_1001A4C7 mov eax, dword ptr fs:[00000030h]5_2_1001A4C7
      Source: C:\Users\user\Desktop\S17.exeCode function: 5_2_1000AE99 mov eax, dword ptr fs:[00000030h]5_2_1000AE99
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_10027BB0 GetProcessHeap,RtlAllocateHeap,MessageBoxA,0_2_10027BB0
      Source: C:\Users\user\Desktop\S17.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\S17.exeProcess token adjusted: DebugJump to behavior
      Source: S17.exe, 00000005.00000002.2928855643.0000000000A08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow~
      Source: S17.exeBinary or memory string: Shell_TrayWnd
      Source: S17.exe, 00000000.00000003.1687015370.00000000028E8000.00000004.00000020.00020000.00000000.sdmp, S17.exe, 00000000.00000002.2928866357.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp, S17.exe, 00000000.00000002.2929904718.0000000002C40000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
      Source: S17.exe, 00000000.00000003.1687015370.00000000028E8000.00000004.00000020.00020000.00000000.sdmp, S17.exe, 00000000.00000002.2928866357.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp, S17.exe, 00000000.00000002.2929904718.0000000002C40000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
      Source: S17.exeBinary or memory string: @TaskbarCreatedShell_TrayWndTrayNotifyWndSysPagerToolbarWindow3260
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_10019EDC cpuid 0_2_10019EDC
      Source: C:\Users\user\Desktop\S17.exeCode function: 0_2_00520440 GetVersionExA,GetEnvironmentVariableA,GetModuleFileNameA,0_2_00520440
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
      Native API
      1
      Registry Run Keys / Startup Folder
      2
      Process Injection
      1
      Masquerading
      11
      Input Capture
      111
      Security Software Discovery
      Remote Services1
      Screen Capture
      1
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      LSASS Driver
      1
      Registry Run Keys / Startup Folder
      2
      Process Injection
      LSASS Memory1
      Process Discovery
      Remote Desktop Protocol11
      Input Capture
      1
      Ingress Tool Transfer
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading
      1
      LSASS Driver
      1
      Deobfuscate/Decode Files or Information
      Security Account Manager1
      Application Window Discovery
      SMB/Windows Admin Shares1
      Archive Collected Data
      1
      Non-Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      DLL Side-Loading
      4
      Obfuscated Files or Information
      NTDS2
      File and Directory Discovery
      Distributed Component Object ModelInput Capture11
      Application Layer Protocol
      Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
      Software Packing
      LSA Secrets15
      System Information Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading
      Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      S17.exe61%ReversingLabsWin32.Trojan.Midie
      S17.exe100%Joe Sandbox ML
      SourceDetectionScannerLabelLink
      C:\Users\user\Desktop\QQWER.dll100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\545ee0.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\545f4d.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\5504c5.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\550542.tmp0%ReversingLabs
      C:\Users\user\Desktop\QQWER.dll73%ReversingLabsWin32.Infostealer.OnlineGames
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://192.144.128.212/%E5%AD%98%E6%A1%A3/0%Avira URL Cloudsafe
      http://192.144.128.212/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt&0%Avira URL Cloudsafe
      http://192.144.128.212/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtf0%Avira URL Cloudsafe
      http://www.eyuyan.com)DVarFileInfo$0%Avira URL Cloudsafe
      http://192.144.128.212/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txthttp://192.144.128.212/123.txt0%Avira URL Cloudsafe
      http://192.144.128.212/%E7%89%88%E6%9C%AC%E6%9B%B4%E6%96%B0.txt0%Avira URL Cloudsafe
      http://192.144.128.212/123.txtQ0%Avira URL Cloudsafe
      http://192.144.1Y0%Avira URL Cloudsafe
      http://192.144.128.212/123.txt%0%Avira URL Cloudsafe
      http://192.144.128.212/123.txtt2XM0%Avira URL Cloudsafe
      http://192.144.128.212/123.txtt30%Avira URL Cloudsafe
      http://192.144.128.212/0%Avira URL Cloudsafe
      http://192.144.128.212//0%Avira URL Cloudsafe
      http://192.144.128.212/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt0%Avira URL Cloudsafe
      http://192.144.128.212/123.txtIXD0%Avira URL Cloudsafe
      http://192.144.128.212/123.txtX0%Avira URL Cloudsafe
      http://192.144.128.212/123.txtt0%Avira URL Cloudsafe
      http://192.144.128.212/60%Avira URL Cloudsafe
      http://192.144.128.212/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt80%Avira URL Cloudsafe
      http://192.144.128.212/123.txt0%Avira URL Cloudsafe
      http://192.144.128.212/123.txtshqos.dll.muiX0%Avira URL Cloudsafe
      http://192.144.128.212/123.txtA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtmX80%Avira URL Cloudsafe
      No contacted domains info
      NameMaliciousAntivirus DetectionReputation
      http://192.144.128.212/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtfalse
      • Avira URL Cloud: safe
      unknown
      http://192.144.128.212/123.txtfalse
      • Avira URL Cloud: safe
      unknown
      NameSourceMaliciousAntivirus DetectionReputation
      http://192.144.128.212/%E5%AD%98%E6%A1%A3/S17.exefalse
      • Avira URL Cloud: safe
      unknown
      http://192.144.128.212/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt&S17.exe, 00000000.00000002.2928866357.0000000000B7E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://192.144.128.212/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtfS17.exe, 00000005.00000002.2928855643.0000000000A85000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://192.144.128.212/123.txt%S17.exe, 00000005.00000002.2928855643.0000000000A85000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://www.eyuyan.com)DVarFileInfo$S17.exefalse
      • Avira URL Cloud: safe
      unknown
      http://192.144.128.212/%E7%89%88%E6%9C%AC%E6%9B%B4%E6%96%B0.txtS17.exefalse
      • Avira URL Cloud: safe
      unknown
      http://ts-ocsp.ws.sS17.exefalse
        high
        http://192.144.1YS17.exe, 00000005.00000002.2928855643.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://ts-ocsp.ws.symantec.S17.exefalse
          high
          https://ww(w.vS17.exefalse
            high
            http://192.144.128.212/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txthttp://192.144.128.212/123.txtS17.exefalse
            • Avira URL Cloud: safe
            unknown
            http://192.144.128.212/123.txtQS17.exe, 00000005.00000002.2928855643.0000000000A85000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://192.144.128.212/123.txtt2XMS17.exe, 00000000.00000002.2928866357.0000000000BEB000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://192.144.128.212/123.txtt3S17.exe, 00000005.00000002.2928855643.0000000000A85000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://192.144.128.212/S17.exe, 00000000.00000002.2928866357.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, S17.exe, 00000005.00000002.2928855643.0000000000A85000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://192.144.128.212/123.txtXS17.exe, 00000005.00000002.2928855643.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://ocsp.tS17.exefalse
              high
              http://192.144.128.212//S17.exe, 00000000.00000002.2928866357.0000000000C06000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://192.144.128.212/123.txtIXDS17.exe, 00000000.00000002.2928866357.0000000000BEB000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://sf.symcS17.exefalse
                high
                http://192.144.128.212/123.txttS17.exe, 00000005.00000002.2928855643.0000000000A85000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://192.144.128.212/6S17.exe, 00000000.00000002.2928866357.0000000000C10000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://192.144.128.212/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt8S17.exe, 00000000.00000002.2928866357.0000000000C10000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://192.144.128.212/123.txtshqos.dll.muiXS17.exe, 00000005.00000002.2928855643.0000000000AA0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://192.144.128.212/123.txtA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtmX8S17.exe, 00000000.00000002.2928866357.0000000000BEB000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs
                IPDomainCountryFlagASNASN NameMalicious
                192.144.128.212
                unknownChina
                45090CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompafalse
                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1582393
                Start date and time:2024-12-30 14:37:05 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 14s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:7
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:S17.exe
                Detection:MAL
                Classification:mal80.evad.winEXE@2/12@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:Failed
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • VT rate limit hit for: S17.exe
                TimeTypeDescription
                13:38:31AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\user\Desktop\S17.exe
                No context
                No context
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompaloligang.ppc.elfGet hashmaliciousMiraiBrowse
                • 106.55.194.191
                db0fa4b8db0333367e9bda3ab68b8042.m68k.elfGet hashmaliciousMirai, GafgytBrowse
                • 111.231.124.162
                7wOqCnSoTo.exeGet hashmaliciousGhostRatBrowse
                • 106.54.31.97
                db0fa4b8db0333367e9bda3ab68b8042.i686.elfGet hashmaliciousMirai, GafgytBrowse
                • 118.28.147.172
                db0fa4b8db0333367e9bda3ab68b8042.sh4.elfGet hashmaliciousMirai, GafgytBrowse
                • 49.235.142.203
                db0fa4b8db0333367e9bda3ab68b8042.spc.elfGet hashmaliciousMirai, GafgytBrowse
                • 150.158.255.197
                telnet.arm.elfGet hashmaliciousUnknownBrowse
                • 106.53.85.48
                telnet.sh4.elfGet hashmaliciousUnknownBrowse
                • 129.211.52.2
                armv5l.elfGet hashmaliciousMiraiBrowse
                • 106.52.4.53
                armv5l.elfGet hashmaliciousMiraiBrowse
                • 120.53.15.208
                No context
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\Users\user\AppData\Local\Temp\545ee0.tmpS12.exeGet hashmaliciousUnknownBrowse
                  215.exeGet hashmaliciousUnknownBrowse
                    S4.exeGet hashmaliciousUnknownBrowse
                      208.exeGet hashmaliciousUnknownBrowse
                        99.exeGet hashmaliciousUnknownBrowse
                          211.exeGet hashmaliciousUnknownBrowse
                            212.exeGet hashmaliciousUnknownBrowse
                              214.exeGet hashmaliciousUnknownBrowse
                                SecuriteInfo.com.Win32.Evo-gen.19313.28597.exeGet hashmaliciousUnknownBrowse
                                  file.exeGet hashmaliciousUnknownBrowse
                                    C:\Users\user\AppData\Local\Temp\545f4d.tmpS12.exeGet hashmaliciousUnknownBrowse
                                      215.exeGet hashmaliciousUnknownBrowse
                                        S4.exeGet hashmaliciousUnknownBrowse
                                          208.exeGet hashmaliciousUnknownBrowse
                                            99.exeGet hashmaliciousUnknownBrowse
                                              211.exeGet hashmaliciousUnknownBrowse
                                                212.exeGet hashmaliciousUnknownBrowse
                                                  214.exeGet hashmaliciousUnknownBrowse
                                                    SecuriteInfo.com.Win32.Evo-gen.19313.28597.exeGet hashmaliciousUnknownBrowse
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                        Process:C:\Users\user\Desktop\S17.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1699896
                                                        Entropy (8bit):6.290547513916722
                                                        Encrypted:false
                                                        SSDEEP:24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
                                                        MD5:5564A98A4692BA8B2D25770FB834D5F6
                                                        SHA1:129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
                                                        SHA-256:28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
                                                        SHA-512:D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Joe Sandbox View:
                                                        • Filename: S12.exe, Detection: malicious, Browse
                                                        • Filename: 215.exe, Detection: malicious, Browse
                                                        • Filename: S4.exe, Detection: malicious, Browse
                                                        • Filename: 208.exe, Detection: malicious, Browse
                                                        • Filename: 99.exe, Detection: malicious, Browse
                                                        • Filename: 211.exe, Detection: malicious, Browse
                                                        • Filename: 212.exe, Detection: malicious, Browse
                                                        • Filename: 214.exe, Detection: malicious, Browse
                                                        • Filename: SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe, Detection: malicious, Browse
                                                        • Filename: file.exe, Detection: malicious, Browse
                                                        Reputation:moderate, very likely benign file
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................
                                                        Process:C:\Users\user\Desktop\S17.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1679648
                                                        Entropy (8bit):5.3288490918902225
                                                        Encrypted:false
                                                        SSDEEP:24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
                                                        MD5:2E8AB67DC55089DFBCBFA7710BD15B07
                                                        SHA1:159434853CE512029314C6B70070220D251A924A
                                                        SHA-256:2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
                                                        SHA-512:7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Joe Sandbox View:
                                                        • Filename: S12.exe, Detection: malicious, Browse
                                                        • Filename: 215.exe, Detection: malicious, Browse
                                                        • Filename: S4.exe, Detection: malicious, Browse
                                                        • Filename: 208.exe, Detection: malicious, Browse
                                                        • Filename: 99.exe, Detection: malicious, Browse
                                                        • Filename: 211.exe, Detection: malicious, Browse
                                                        • Filename: 212.exe, Detection: malicious, Browse
                                                        • Filename: 214.exe, Detection: malicious, Browse
                                                        • Filename: SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe, Detection: malicious, Browse
                                                        • Filename: file.exe, Detection: malicious, Browse
                                                        Reputation:moderate, very likely benign file
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\Desktop\S17.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1699896
                                                        Entropy (8bit):6.290547513916722
                                                        Encrypted:false
                                                        SSDEEP:24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
                                                        MD5:5564A98A4692BA8B2D25770FB834D5F6
                                                        SHA1:129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
                                                        SHA-256:28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
                                                        SHA-512:D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Reputation:moderate, very likely benign file
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................
                                                        Process:C:\Users\user\Desktop\S17.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1679648
                                                        Entropy (8bit):5.3288490918902225
                                                        Encrypted:false
                                                        SSDEEP:24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
                                                        MD5:2E8AB67DC55089DFBCBFA7710BD15B07
                                                        SHA1:159434853CE512029314C6B70070220D251A924A
                                                        SHA-256:2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
                                                        SHA-512:7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Reputation:moderate, very likely benign file
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\Desktop\S17.exe
                                                        File Type:PC bitmap, Windows 3.x format, 88 x 30 x 24, image size 7920, cbSize 7974, bits offset 54
                                                        Category:dropped
                                                        Size (bytes):7974
                                                        Entropy (8bit):5.673356453027983
                                                        Encrypted:false
                                                        SSDEEP:192:Ff/ZR+G5hr4gwFy2EmU8fTDAa/AUdiwcWOWNnLV:FfbEzsxUdinWDh
                                                        MD5:7E50424DE95D765740BCE30899FA4E3B
                                                        SHA1:306B279E18EB8830960449758C025C0F13F7A484
                                                        SHA-256:1886332AA5F083560E14B3E7DAEF8BFBFA7BE16FBD93CC10CD84C11C87014AA6
                                                        SHA-512:4E9349366B4A16111B47E6E78D289DC22892BA7B2E5E5A8F46C808CA268FEEE1D7483A4E43F46686DB24E4C50C4BABBD2A8722D323A25C7656F31C45D186B5A3
                                                        Malicious:false
                                                        Preview:BM&.......6...(...X...................................P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1....................................................................................................................................................................................|..p.........................................................................~..~..}..}..}..{..{..{..{..z..y..y..x..x..w..w..w..v..u..u..u..t..t..s..s..r..q..q..q..q..p..o..o..n..n..m..m..l..k..k..j..j..i..i..h..h..h..h..g..f..f..e..e..o........................................................................~..~..~..}..}..{..{..{..z..z..z..y..x..x..w..w..w..
                                                        Process:C:\Users\user\Desktop\S17.exe
                                                        File Type:PC bitmap, Windows 3.x format, 113 x 35 x 24, image size 11900, cbSize 11954, bits offset 54
                                                        Category:dropped
                                                        Size (bytes):11954
                                                        Entropy (8bit):5.409855539827035
                                                        Encrypted:false
                                                        SSDEEP:192:fZQMVQGPMZvJHDbHCWRi+vExCtcPvo+zyjDEz4D5fpDvzmJ7If8:fZQyQ+GhXb/eycPvvzyjgz49fpjzmJ8E
                                                        MD5:C493B0AA16D37E5FEFD7B9122541CE9C
                                                        SHA1:1C472E2C8E6D10D5B266F88EC2FD054413470D4E
                                                        SHA-256:F98734C3B9559D549C65DCE47EE33E7037EB35055B548B7D0B4773777052FFB5
                                                        SHA-512:1819E0B95F10BC019217B59F2540E01C6D05F10F0AF8F8EBBF5EEFC5DB0EA15E715858DF2CD0E2A23E37E415F540016174C8C7741DAAE30686FFE6E8019C449C
                                                        Malicious:false
                                                        Preview:BM........6...(...q...#...........|...................) .) ..b$.+../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../.+.b$) ..F4..+.#...............................................................................................~..~..}..}..|..|..{..|..{..{..z..z..y..y..x..x..w..w..v..w..v..v..u..u..t..t..s..s..r..r..q..r..q..q..p..p..o..o..n..n..m..m..l..m..l..l..k..k..j..j..i..i..h..h..g..h..g..g..f..f..g..w..".+..+...................................................................................................~..~..}..~..}..}..|..|..{..{..z..z..y..y..x..y..x..x..w..w..v..v..u..u..t..t..s..t..s..s..r..r..q..q..p..p..o..o..n..o
                                                        Process:C:\Users\user\Desktop\S17.exe
                                                        File Type:PC bitmap, Windows 3.x format, 30 x 30 x 24, image size 2760, cbSize 2814, bits offset 54
                                                        Category:dropped
                                                        Size (bytes):2814
                                                        Entropy (8bit):6.009651948393757
                                                        Encrypted:false
                                                        SSDEEP:48:twMisdyOfXdCbp////K8//fPLoM7P7xN7e9oS/v/0lUpR2WC7Hn:7yO/dC1////T//fP8gu3/v/0lUpR2b7H
                                                        MD5:BE0F9D021BF9ED2CEA9572D88BFA9E02
                                                        SHA1:8DE179621E6E5C5DEDF5C8F5A3F917062C7ACDD4
                                                        SHA-256:8629EDCDBA642EEECA74DD4CFBF72AA1FF61C8039D8851175017E582B25E64B8
                                                        SHA-512:849FA4B9883800A490F558A35361FB2849D986D1917AF7FF5F45AF2E2EEC758BC33C0CF7D20BDC108D29D0FE1021B6390E12B9BB02DEDAF33C442AD633124B9E
                                                        Malicious:false
                                                        Preview:BM........6...(.......................................*$3+&4+'6+'7,(8+':,)<+)=+)>,)?-*A+)@+)A+*B,+D,+D,+F++F,,I,+H,+I,,K-.L,-M,-M,-N,.O..Q./R./S..+$.*$.,%0*%2+%3+&4,&5+'6,(8+(9(#5# 6!.:!.;".;!.=#.<".>".>".?".?!.A#.@" A# B" C#!C&$E*(I,,J..*")*#**$,*$,+$.+$/,%1+%2+%3($0#.C)..-...../../../../../../../../../../../../.....,..(.}*(D..*"&)"'*"()")*"*("**#,*$-+$.#.',..0..1..0..1..0..1..0..0..1..0..0..0..1..1..0..1..0..0..*.s..* "*!#)!$*!%*"&*#'*"(*"),$-#.$6 .6 .6 .6 .6 .6 .6 .6..6 .6 .6..6 .6..6 .6 .6 .6 .6 .6 ./ ...)..(. ) !) !* #) #)!$*)0,;Y&1G=+.>(.>(.>(.>(.>(.>(.>(.>(.>'.>(.>(.>(.>(.>(.>(.>'.>(.>(.4$...)..)..) ) ). ) )!"/x.0..8..5U.B7.F0.G0.G0.F/.G0.G0.F/.G0.F/.F/.F/.F/.F/.F/.F/.G0.G0.9)...*..)..)..(..)..(..(..=..>..<..S..Jd.K9.O8.O7.O7.O8.O8.O8.O8.O8.O8.O7.O8.O7.O8.O8.O8.O8.>-...)..)..*..)..*..*..*..Jjp[..c..B..D..HF.W?.W?.W?.W?.W?.W@.W@.W@.W@.V?.W@.W?.W@.W@.W@.W?.C2...)..(..)..(..)..(..)..,"!FUYQ..:..9..VN.]E.]F.]H.]J.^M.^R.^X.^V.]P.]M.]J.]G.]E.]E.]F.]E.G6...)..)..)..)..)..)..)..)..).
                                                        Process:C:\Users\user\Desktop\S17.exe
                                                        File Type:PNG image data, 28 x 26, 8-bit/color RGBA, non-interlaced
                                                        Category:dropped
                                                        Size (bytes):931
                                                        Entropy (8bit):7.686509007424359
                                                        Encrypted:false
                                                        SSDEEP:24:P5FBJ4EF5F6lwDXJwWtWXeStXMyNr2Y5idf3Gi7:P57PF6l4XeeuNJNr5Kf2o
                                                        MD5:4FEDCB19004834F7720C4CD7C387F98A
                                                        SHA1:C05E45AC4FC4DF921E8C11574DE42AA48ED21809
                                                        SHA-256:D24F79618C29D22DEE06477554CBDA92C7C0226DF9688133271996EDF2332DD3
                                                        SHA-512:928A32FAA980C6CCCDD4251072F3096A3194FA5D59DD03B74273D69FFF6BD0C7C882A440D7A20A3DA2807D892D1B20E4E3A624919CB21E593CC0F38E8B600878
                                                        Malicious:false
                                                        Preview:.PNG........IHDR..............T<.....sRGB.........gAMA......a.....pHYs..........o.d...8IDATHK..kH.Q...,..........zk+.n.y.`-0.l-5..Pi...X.i.e....Y..A.].!D%#.2*.HB+(+(..m....J.k.<...}.3s.C.:,.=!...`O...".....Rpqv...b.W.'I=k7aER8R.._.Z./....+..v.7Wg...H.9...ip.JR..........A.%...u.c..3..6,)L.3.r7..rx..>.O.2FJ.R.16R..F\...!._.5..E............r...!a.A...O.;h.+L..|.-f.7..T3.u....Rx{z........0....M4..~s....p.-.w{...x......9-.w.~v&Jo98"C5x..8>....sL>.E~v.|.......U.rlg.y.}....3Q)..&n}...+...O8.O..2\~..(A.........:......c.b..'%.(.....O.W..F....'j_.h4~J.2.>..1%.........2>.Z....J.Y.C4L.fk.r.u.c.f.....r:.V"..%...(FAv.(K.H.F..c..w..0p.H@..Bd...N..].....1...,.M7.....2._p.........6.`...&4......637/.!&..;i?;.@.R.$.q.5..m9..u.y>.LOk.X.s..>k?....<?....PQ............r6..E[..fX..s.:.....G.IH.?la..=_.J...8.4....F.;.yI.>.R.+O.lv..s.+.......h!.......-..,..&I=k7.......a..'dED...Y...{...>.g........IEND.B`.
                                                        Process:C:\Users\user\Desktop\S17.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):19
                                                        Entropy (8bit):3.536886723742169
                                                        Encrypted:false
                                                        SSDEEP:3:Vv:Vv
                                                        MD5:6CAEF80C0A930A24861D178A7E6BDEA6
                                                        SHA1:BEE0E634AE94E72C73BF17B5F97D9F9BDDE2DAD0
                                                        SHA-256:004A2BE320DC08F26F0BBB9919DDBDE7EE6A4D291A63E1C769C1A9F0F9C70286
                                                        SHA-512:A183F3934D08AA52956A01DE9D13D83C3437E55149F153B011DA8F02E04E513F571EE334A4256829504521F667D5174D806EDC3EE251953D77F96EDD896D89DC
                                                        Malicious:false
                                                        Preview:[Cofig]..Z1=..Z2=..
                                                        Process:C:\Users\user\Desktop\S17.exe
                                                        File Type:PC bitmap, Windows 3.x format, 122 x 40 x 24, image size 14720, cbSize 14774, bits offset 54
                                                        Category:dropped
                                                        Size (bytes):14774
                                                        Entropy (8bit):4.868699837953847
                                                        Encrypted:false
                                                        SSDEEP:384:fDinzsGO052UtTri2fzOJ3pzvdTzD8mZxEBxQ74w2jBfG79s6OY:riA/w1ObZSny4dRI9Hh
                                                        MD5:EE883808D176D23096A2D4F339C84368
                                                        SHA1:D901775EDE136567215ABE718023C1A62F46A0A6
                                                        SHA-256:3D28C7A863B6E937EBC72AD585F94359B6BC2FF8523173DB0FEEFBC803AB372B
                                                        SHA-512:F14CF6522847121246B7913FA1C800227EEEAFAE5F7AA44D2E45ED55EC50B2A729C109B222D0F2E3FECFB3B16031AEF742C286DA0393322A73C4B182C71033D3
                                                        Malicious:false
                                                        Preview:BM.9......6...(...z...(............9..............................................................................................................................~..~..~..~..}..}..}..}..|..|..{..{..{..{..z..z..z..z..y..y..x..y..x..x..w..x..w..w..v..v..v..v..u..u..t..t..t..t..s..s..s..s..r..r..q..r..q..q..p..q..p..p..o..o..o..o..n..n..m..n..m..m..l..l..l..l..k..k..j..k................................................................................................................~..~..}..}..}..}..|..|..|..|..{..{..z..{..z..z..y..z..y..y..x..x..x..x..w..w..v..v..v..v..u..u..u..u..t..t..s..t..s..s..r..s..r..r..q..q..q..q..p..p..o..p..o..o..n..n..n..n..m..m..l..m..l..l..k..l..k..k..j..j...............................................................................................................~..~..~..~..}..}..|..}..|..|..{..{..{..{..z..z..y..z.
                                                        Process:C:\Users\user\Desktop\S17.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):687517
                                                        Entropy (8bit):7.999653084247243
                                                        Encrypted:true
                                                        SSDEEP:12288:nAPtAe/2ByNkI6K8Pi7GMskNEkzJ0x1d2GpSI5EwLtwun3aPh:nEtAemv+hNZGTds9UtwgqPh
                                                        MD5:4B7109E2F77FF15219B81079DF8C12B2
                                                        SHA1:AB3BF417AF304B83CD49707E399BC06E1E10D519
                                                        SHA-256:BE7A0A59B36299F40D6AC2FC126ACFD6C8BBFF8C4F8D9D85267DF3E2E1E3AED3
                                                        SHA-512:770EBECF21AAD663BB27F7800AE476FF3B9EF444FF661916CB50E65AE4987DDE7413E4AE83FD152C47A296C13E41D4544AED3C780F0F5958BB605F57016537E7
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 73%
                                                        Preview:MZKERNEL32.DLL..LoadLibraryA....GetProcAddress..UpackByDwing@...PE..L..................!...9.`..........`X.......p......................................................................,[..q....[..............................H........................................................................................Upack..............................`....rsrc............{..................`........[...............Z...Z...Z...Z...Z.......Z...Z...X.......[.......Y......|...........u...............................*..T...h........Zx.)1Y"F..,...L..F.4."W|..5P......A...c]...J..X.;/.T..|...~.d.W..........(k.../.!.y..0Kol.Ty..N...yg....-.GI....@.c..g:...!.Oo..j..N.h6x..9)B.Iw.4Z}..g.CCN......X...:.`......!y.p.^=..;..!.......83..W..W...h.?$R.Q....$..+......... 6....3..i...<.Z.\...r.T....,.).s..~.V.......^].k.[....bQ....+Y.';C.._.R. fq......y..X.8t2.J.....4B...m.....A...a.8..F....51mt6e..Yec..A...q......:..)..l.O!.S..8.f..X....k.....!B..Z<.\.C....kc(...0..#.M}+@..X.g;P..r....x.
                                                        Process:C:\Users\user\Desktop\S17.exe
                                                        File Type:PC bitmap, Windows 3.x format, 35 x 20 x 24, image size 2160, cbSize 2214, bits offset 54
                                                        Category:dropped
                                                        Size (bytes):2214
                                                        Entropy (8bit):3.158509986026752
                                                        Encrypted:false
                                                        SSDEEP:48:JouFFFFFF8JuJuJuJuJuJuJuJuzQotg8UOub4FFXF2UuJuJVHuFFFFFF8JuJuJuf:yuFFFFFFAtgoFFXFZuFFFFFFf
                                                        MD5:DF205D271276F748CEF591CBD2DB34AD
                                                        SHA1:78CF2060CEE78621E753CADA5317CFACB81A88DD
                                                        SHA-256:437ED3561E75CF67ADC1A44CEDBFC57874EDF85C2D84E8F1484E2CBDD4EED7EB
                                                        SHA-512:11FA8EAAB577FB1B828187D79AA862E6AA7B1CAE55143AFC4F007DF71D0B66659AFAD26533125F2DE37FB31E57E2043265F08E7042434593DA988279FCA33538
                                                        Malicious:false
                                                        Preview:BM........6...(...#...............p...................%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..$..%..%..%..$..%..%..%..$..%..%..%..$..%..%..%..$..%..%..%..$..%..%..%..$..%..%..%..$..%..%..%..$.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%.....%..%..%..%..%...........%..%..%..%..%..%..............%..%..%..%..%..%..%..%..%.....%..%........%..%..%........%..%..%........%.....%..%...........%.....%..%........%..%........%..%..%..%.....%..%..$..%........$..%........$..%........$........%..$..%..............%........%..............%..%..$.....%..%..%..%...........%........%..%........%........%...........%..%..............%........%..%..%..%..%.....%..%..%..%........%..%..%........%........%..%..%..%..%..%...........%............
                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):6.544511427283188
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:S17.exe
                                                        File size:4'947'968 bytes
                                                        MD5:6a10c76e5b4d264ea9584ed40413cea6
                                                        SHA1:9d863add57eaab21248351b77390d0a405c748a6
                                                        SHA256:b023eda70faaa0d8abb6e74feab481449ba108f0e266b36dd77a774e5af9bbec
                                                        SHA512:979866b0e01382f52810f66c18fb34de87b67a9932c6a7b3afc35eaf02041272f1fd87db1a4279f952dbea8c3d408c81ec0a1df2db1de70b710d8e2f911a2245
                                                        SSDEEP:49152:yRow+cN5icyFzEtDmv+h6T2C7qPOChiQXdGHfH2MmhdGHfH2Mms:Qt+cDicyFzKoRdqPbI/+y/+s
                                                        TLSH:7536AD137952C861D1401AF452B2CB38E9788E602C7DCA43EFF0FC6BBE725A36B55649
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................q...........................A...q......................................................
                                                        Icon Hash:2f3d6cb3985a7b0b
                                                        Entrypoint:0x51a509
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                        DLL Characteristics:
                                                        Time Stamp:0x676302A4 [Wed Dec 18 17:13:08 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:18a1e39382b63e85ee686680a4f065d3
                                                        Instruction
                                                        push ebp
                                                        mov ebp, esp
                                                        push FFFFFFFFh
                                                        push 00787758h
                                                        push 0051D374h
                                                        mov eax, dword ptr fs:[00000000h]
                                                        push eax
                                                        mov dword ptr fs:[00000000h], esp
                                                        sub esp, 58h
                                                        push ebx
                                                        push esi
                                                        push edi
                                                        mov dword ptr [ebp-18h], esp
                                                        call dword ptr [0053D1C4h]
                                                        xor edx, edx
                                                        mov dl, ah
                                                        mov dword ptr [007E5FE4h], edx
                                                        mov ecx, eax
                                                        and ecx, 000000FFh
                                                        mov dword ptr [007E5FE0h], ecx
                                                        shl ecx, 08h
                                                        add ecx, edx
                                                        mov dword ptr [007E5FDCh], ecx
                                                        shr eax, 10h
                                                        mov dword ptr [007E5FD8h], eax
                                                        push 00000001h
                                                        call 00007F3168BCCF36h
                                                        pop ecx
                                                        test eax, eax
                                                        jne 00007F3168BC6F1Ah
                                                        push 0000001Ch
                                                        call 00007F3168BC6FD8h
                                                        pop ecx
                                                        call 00007F3168BCCCE1h
                                                        test eax, eax
                                                        jne 00007F3168BC6F1Ah
                                                        push 00000010h
                                                        call 00007F3168BC6FC7h
                                                        pop ecx
                                                        xor esi, esi
                                                        mov dword ptr [ebp-04h], esi
                                                        call 00007F3168BCCB0Fh
                                                        call dword ptr [0053D364h]
                                                        mov dword ptr [007EB224h], eax
                                                        call 00007F3168BCC9CDh
                                                        mov dword ptr [007E5F50h], eax
                                                        call 00007F3168BCC776h
                                                        call 00007F3168BCC6B8h
                                                        call 00007F3168BCB5E9h
                                                        mov dword ptr [ebp-30h], esi
                                                        lea eax, dword ptr [ebp-5Ch]
                                                        push eax
                                                        call dword ptr [0053D1DCh]
                                                        call 00007F3168BCC649h
                                                        mov dword ptr [ebp-64h], eax
                                                        test byte ptr [ebp-30h], 00000001h
                                                        je 00007F3168BC6F18h
                                                        movzx eax, word ptr [ebp+00h]
                                                        Programming Language:
                                                        • [ C ] VS98 (6.0) SP6 build 8804
                                                        • [C++] VS98 (6.0) SP6 build 8804
                                                        • [C++] VS98 (6.0) build 8168
                                                        • [ C ] VS98 (6.0) build 8168
                                                        • [EXP] VC++ 6.0 SP5 build 8804
                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3905580x140.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ec0000x10ce8c.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x13d0000x7b4.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x13b55e0x13c000fa364d1e0b6f32b78eb9d778b4f2152aFalse0.4165348101265823data6.4209140187038685IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x13d0000x255e340x2560006952d863b79847291ded8c8165e6c34funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0x3930000x5822a0x18000b9bc1265a776cc9df17e82ba044b4ba3False0.308990478515625data5.031496432528122IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0x3ec0000x10ce8c0x10d000cf06c676a944f7ddf3c5ed38dbe0420fFalse0.4387860493145911data5.420636766230953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        TEXTINCLUDE0x3ecb9c0xbASCII text, with no line terminatorsChineseChina1.7272727272727273
                                                        TEXTINCLUDE0x3ecba80x16dataChineseChina1.3636363636363635
                                                        TEXTINCLUDE0x3ecbc00x151C source, ASCII text, with CRLF line terminatorsChineseChina0.6201780415430267
                                                        RT_CURSOR0x3ecd140x134dataChineseChina0.5811688311688312
                                                        RT_CURSOR0x3ece480x134Targa image data - Map 64 x 65536 x 1 +32 "\001"ChineseChina0.37662337662337664
                                                        RT_CURSOR0x3ecf7c0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"ChineseChina0.4805194805194805
                                                        RT_CURSOR0x3ed0b00xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"ChineseChina0.7
                                                        RT_BITMAP0x3ed1640x248Device independent bitmap graphic, 64 x 15 x 4, image size 480ChineseChina0.3407534246575342
                                                        RT_BITMAP0x3ed3ac0x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.4444444444444444
                                                        RT_BITMAP0x3ed4f00x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.26453488372093026
                                                        RT_BITMAP0x3ed6480x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2616279069767442
                                                        RT_BITMAP0x3ed7a00x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2441860465116279
                                                        RT_BITMAP0x3ed8f80x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.24709302325581395
                                                        RT_BITMAP0x3eda500x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2238372093023256
                                                        RT_BITMAP0x3edba80x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.19476744186046513
                                                        RT_BITMAP0x3edd000x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.20930232558139536
                                                        RT_BITMAP0x3ede580x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.18895348837209303
                                                        RT_BITMAP0x3edfb00x5e4Device independent bitmap graphic, 70 x 39 x 4, image size 1404ChineseChina0.34615384615384615
                                                        RT_BITMAP0x3ee5940xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80ChineseChina0.44565217391304346
                                                        RT_BITMAP0x3ee64c0x16cDevice independent bitmap graphic, 39 x 13 x 4, image size 260ChineseChina0.28296703296703296
                                                        RT_BITMAP0x3ee7b80x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.37962962962962965
                                                        RT_ICON0x3ee8fc0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640ChineseChina0.26344086021505375
                                                        RT_ICON0x3eebe40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192ChineseChina0.41216216216216217
                                                        RT_ICON0x3eed0c0x108028Device independent bitmap graphic, 512 x 1024 x 32, image size 20971520.45241641998291016
                                                        RT_MENU0x4f6d340xcdataChineseChina1.5
                                                        RT_MENU0x4f6d400x284dataChineseChina0.5
                                                        RT_DIALOG0x4f6fc40x98dataChineseChina0.7171052631578947
                                                        RT_DIALOG0x4f705c0x17adataChineseChina0.5185185185185185
                                                        RT_DIALOG0x4f71d80xfadataChineseChina0.696
                                                        RT_DIALOG0x4f72d40xeadataChineseChina0.6239316239316239
                                                        RT_DIALOG0x4f73c00x8aedataChineseChina0.39603960396039606
                                                        RT_DIALOG0x4f7c700xb2dataChineseChina0.7359550561797753
                                                        RT_DIALOG0x4f7d240xccdataChineseChina0.7647058823529411
                                                        RT_DIALOG0x4f7df00xb2dataChineseChina0.6629213483146067
                                                        RT_DIALOG0x4f7ea40xe2dataChineseChina0.6637168141592921
                                                        RT_DIALOG0x4f7f880x18cdataChineseChina0.5227272727272727
                                                        RT_STRING0x4f81140x50dataChineseChina0.85
                                                        RT_STRING0x4f81640x2cdataChineseChina0.5909090909090909
                                                        RT_STRING0x4f81900x78dataChineseChina0.925
                                                        RT_STRING0x4f82080x1c4dataChineseChina0.8141592920353983
                                                        RT_STRING0x4f83cc0x12adataChineseChina0.5201342281879194
                                                        RT_STRING0x4f84f80x146dataChineseChina0.6288343558282209
                                                        RT_STRING0x4f86400x40dataChineseChina0.65625
                                                        RT_STRING0x4f86800x64dataChineseChina0.73
                                                        RT_STRING0x4f86e40x1d8dataChineseChina0.6758474576271186
                                                        RT_STRING0x4f88bc0x114dataChineseChina0.6376811594202898
                                                        RT_STRING0x4f89d00x24dataChineseChina0.4444444444444444
                                                        RT_GROUP_CURSOR0x4f89f40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.25
                                                        RT_GROUP_CURSOR0x4f8a080x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.25
                                                        RT_GROUP_CURSOR0x4f8a1c0x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina1.0294117647058822
                                                        RT_GROUP_ICON0x4f8a400x14Targa image data - Map 32 x 32808 x 161.1
                                                        RT_GROUP_ICON0x4f8a540x14dataChineseChina1.2
                                                        RT_GROUP_ICON0x4f8a680x14dataChineseChina1.25
                                                        RT_VERSION0x4f8a7c0x240dataChineseChina0.5642361111111112
                                                        RT_MANIFEST0x4f8cbc0x1cdXML 1.0 document, ASCII text, with very long lines (461), with no line terminators0.5878524945770065
                                                        DLLImport
                                                        WINMM.dllmidiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutRestart, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, waveOutClose, midiStreamStop, midiOutReset, midiStreamClose, midiStreamRestart, waveOutGetNumDevs
                                                        WS2_32.dllWSAAsyncSelect, closesocket, send, select, WSAStartup, inet_ntoa, recvfrom, ioctlsocket, recv, getpeername, accept, WSACleanup, ntohl
                                                        RASAPI32.dllRasGetConnectStatusA, RasHangUpA
                                                        KERNEL32.dllMultiByteToWideChar, SetLastError, GetTimeZoneInformation, GetVersion, lstrcmpiA, FileTimeToSystemTime, CreateMutexA, ReleaseMutex, SuspendThread, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, GetFileTime, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, lstrcmpA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, DuplicateHandle, lstrcpynA, FileTimeToLocalFileTime, LocalFree, WideCharToMultiByte, InterlockedDecrement, InterlockedIncrement, OpenProcess, TerminateProcess, GetCurrentProcess, GetFileSize, SetFilePointer, CreateToolhelp32Snapshot, Process32First, Process32Next, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, RemoveDirectoryA, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GetDriveTypeA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, ExpandEnvironmentStringsA, GlobalAlloc, GlobalLock, GlobalUnlock, FindFirstFileA, FindClose, SetFileAttributesA, GetFileAttributesA, DeleteFileA, GetCurrentDirectoryA, SetCurrentDirectoryA, InterlockedExchange, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, GetCommandLineA, GetTickCount, CreateProcessA, WaitForSingleObject, CloseHandle, RtlUnwind, GetSystemTime, GetLocalTime, RaiseException, HeapSize, GetACP, SetStdHandle, GetFileType, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, VirtualAlloc, IsBadWritePtr, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, TerminateThread
                                                        USER32.dllSetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, IsIconic, PeekMessageA, SetMenu, GetMenu, DeleteMenu, GetSystemMenu, DefWindowProcA, GetClassInfoA, IsZoomed, PostQuitMessage, WinHelpA, KillTimer, SetTimer, LoadStringA, CopyAcceleratorTableA, GetKeyState, TranslateAcceleratorA, IsWindowEnabled, ShowWindow, SystemParametersInfoA, LoadImageA, EnumDisplaySettingsA, ClientToScreen, EnableMenuItem, GetSubMenu, GetDlgCtrlID, CreateAcceleratorTableA, CreateMenu, ModifyMenuA, AppendMenuA, CreatePopupMenu, DrawIconEx, CreateIconFromResource, CreateIconFromResourceEx, RegisterClipboardFormatA, SetRectEmpty, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, IntersectRect, DestroyIcon, DispatchMessageA, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, SetCursorPos, GetMenuCheckMarkDimensions, GetMenuState, SetMenuItemBitmaps, CheckMenuItem, MoveWindow, IsDialogMessageA, ScrollWindowEx, SendDlgItemMessageA, MapWindowPoints, AdjustWindowRectEx, GetScrollPos, RegisterClassA, GetMenuItemCount, GetMenuItemID, GetClassLongA, SetPropA, GetPropA, RemovePropA, GetMessageTime, GetLastActivePopup, GetForegroundWindow, RegisterWindowMessageA, GetWindowPlacement, GetNextDlgTabItem, EndDialog, CreateDialogIndirectParamA, DestroyWindow, GrayStringA, TabbedTextOutA, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, ReleaseDC, IsChild, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, WaitForInputIdle, GetMessageA, WindowFromPoint, DrawFocusRect, DrawEdge, DrawFrameControl, TranslateMessage, LoadIconA, GetDesktopWindow, GetClassNameA, GetWindowThreadProcessId, FindWindowA, UnregisterClassA, GetDlgItem, GetWindowTextA, CallWindowProcA, RegisterHotKey, UnregisterHotKey, DrawTextA, SetWindowsHookExA, UnhookWindowsHookEx, EnumThreadWindows, GetWindowTextLengthA, EnumChildWindows, CallNextHookEx, GetWindowDC, GetSysColorBrush, FrameRect, SetWindowTextA, PtInRect, CreateWindowExA, CharUpperA, BeginPaint, EndPaint
                                                        GDI32.dllGetViewportExtEx, ExtSelectClipRgn, Arc, GetTextExtentPoint32A, GetDeviceCaps, CreateRoundRectRgn, CreateEllipticRgn, PathToRegion, EndPath, BeginPath, GetWindowOrgEx, GetViewportOrgEx, GetWindowExtEx, GetDIBits, RealizePalette, SelectPalette, StretchBlt, CreatePalette, GetSystemPaletteEntries, DeleteObject, SelectClipRgn, CreatePolygonRgn, GetClipRgn, SetStretchBltMode, SetPixel, CreateRectRgnIndirect, SetBkColor, CreateFontA, TranslateCharsetInfo, SetBkMode, LineTo, MoveToEx, SetTextColor, CreateEllipticRgnIndirect, GetTextMetricsA, ExcludeClipRect, GetClipBox, ScaleWindowExtEx, SetWindowExtEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SetMapMode, SetROP2, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, RoundRect, GetCurrentObject, DPtoLP, LPtoDP, Rectangle, Ellipse, CreateCompatibleDC, GetPixel, BitBlt, StartPage, StartDocA, DeleteDC, EndDoc, EndPage, GetObjectA, GetStockObject, CreateFontIndirectA, SetPolyFillMode, RestoreDC, SaveDC, CreateSolidBrush, FillRgn, CreateRectRgn, CombineRgn, PatBlt, CreatePen, SelectObject, CreateBitmap, CreateDCA, CreateCompatibleBitmap, GetPolyFillMode, GetStretchBltMode, GetROP2, GetBkColor, GetBkMode, CreateDIBitmap, GetTextColor
                                                        MSIMG32.dllGradientFill
                                                        WINSPOOL.DRVOpenPrinterA, DocumentPropertiesA, ClosePrinter
                                                        ADVAPI32.dllRegQueryValueExA, RegOpenKeyExA, RegSetValueExA, RegDeleteValueA, RegQueryValueA, RegCreateKeyExA, RegOpenKeyA, RegCloseKey
                                                        SHELL32.dllSHGetSpecialFolderPathA, Shell_NotifyIconA, ShellExecuteA, SHChangeNotify, DragQueryFileA, DragFinish, DragAcceptFiles
                                                        ole32.dllCoCreateInstance, CLSIDFromString, OleUninitialize, OleInitialize
                                                        OLEAUT32.dllUnRegisterTypeLib, LoadTypeLib, RegisterTypeLib
                                                        COMCTL32.dllImageList_Add, ImageList_BeginDrag, ImageList_Create, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_EndDrag, _TrackMouseEvent
                                                        WININET.dllInternetCanonicalizeUrlA, InternetCrackUrlA, HttpOpenRequestA, HttpSendRequestA, HttpQueryInfoA, InternetConnectA, InternetSetOptionA, InternetOpenA, InternetCloseHandle, InternetReadFile
                                                        comdlg32.dllChooseColorA, GetOpenFileNameA, GetFileTitleA, GetSaveFileNameA
                                                        Language of compilation systemCountry where language is spokenMap
                                                        ChineseChina
                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 30, 2024 14:38:10.890567064 CET4973080192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:10.895487070 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:10.895586967 CET4973080192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:10.896199942 CET4973080192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:10.901012897 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:17.787617922 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:17.787635088 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:17.787646055 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:17.787657976 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:17.787667990 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:17.787678957 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:17.787719011 CET4973080192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:17.787756920 CET4973080192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:18.014940023 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:18.014992952 CET4973080192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:18.265495062 CET4973080192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:18.270370960 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:18.580444098 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:18.580712080 CET4973080192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:21.624552965 CET4973080192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:21.629573107 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:21.936119080 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:21.936139107 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:21.936151028 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:21.936244011 CET4973080192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:21.936253071 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:21.936265945 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:21.936279058 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:21.936302900 CET4973080192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:21.936302900 CET4973080192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:21.936337948 CET4973080192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:22.495388031 CET4973080192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:22.500211954 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:22.811219931 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:22.811333895 CET4973080192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:49.094558001 CET4973780192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:49.102190971 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:49.102297068 CET4973780192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:49.102454901 CET4973780192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:49.108815908 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:50.009041071 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:50.009057045 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:50.009068012 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:50.009078979 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:50.009090900 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:50.009138107 CET4973780192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:50.009300947 CET4973780192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:50.239670992 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:50.239808083 CET4973780192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:50.491813898 CET4973780192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:50.496629000 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:50.812475920 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:50.812550068 CET4973780192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:53.842912912 CET4973780192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:53.847913027 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:54.165783882 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:54.165800095 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:54.165812016 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:54.165822983 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:54.165885925 CET4973780192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:54.165885925 CET4973780192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:54.166129112 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:54.166167974 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:54.166189909 CET4973780192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:54.166224957 CET4973780192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:54.339903116 CET4973780192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:38:54.344816923 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:54.660506964 CET8049737192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:38:54.662991047 CET4973780192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:40:00.878248930 CET4973080192.168.2.4192.144.128.212
                                                        Dec 30, 2024 14:40:00.883166075 CET8049730192.144.128.212192.168.2.4
                                                        Dec 30, 2024 14:40:00.886996031 CET4973080192.168.2.4192.144.128.212
                                                        • 192.144.128.212
                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.449730192.144.128.212806232C:\Users\user\Desktop\S17.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 30, 2024 14:38:10.896199942 CET183OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                        Accept: */*
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                        Host: 192.144.128.212
                                                        Cache-Control: no-cache
                                                        Dec 30, 2024 14:38:17.787617922 CET1236INHTTP/1.1 200 OK
                                                        Content-Type: text/plain
                                                        Last-Modified: Mon, 30 Dec 2024 03:20:48 GMT
                                                        Accept-Ranges: bytes
                                                        ETag: "a8947dd2695adb1:0"
                                                        Server: Microsoft-IIS/8.5
                                                        Date: Mon, 30 Dec 2024 13:38:17 GMT
                                                        Content-Length: 6110
                                                        Data Raw: d7 ac b9 bb d2 bb b0 d9 d2 da 0d 0a d4 aa cb d8 bd f8 bb af 0d 0a d2 bb d5 c5 bb b3 be c9 52 50 47 0d 0a c9 f1 e1 db d6 ae c2 b7 0d 0a c9 b3 c4 ae c2 cc d6 de 0d 0a b1 a9 b4 f2 c8 fd b9 fa 32 0d 0a ce d2 b5 c4 bc fd c9 f1 ca c0 bd e7 0d 0a d2 c5 ca a7 c2 d6 bb d8 0d 0a ce e5 c9 fa ca d3 bd e7 0d 0a bb ec c2 d2 ce e4 c1 d6 54 44 b5 b6 bd a3 c8 e7 c3 ce 0d 0a d5 e6 d0 de cf c9 54 44 0d 0a ce d2 d2 aa c9 b1 c9 b1 bc a6 0d 0a bf aa be d6 d2 bb cc f5 f6 ef d7 a8 cb a2 c8 a8 cf de 0d 0a cc ec c3 fc c9 f1 bd e7 0d 0a cf c2 b0 d1 b1 d8 cd a8 0d 0a ce de be a1 bf f1 bb b6 0d 0a ce d2 cf d6 d4 da d6 bb cf eb b7 c5 ce de cb ab 0d 0a ce ca b6 a6 cc a4 cc ec 0d 0a bf aa be d6 d2 bb cc f5 f6 ef 0d 0a d2 bb d5 c5 ba dc c4 d1 b5 c4 b7 c0 ca d8 cd bc 49 49 0d 0a ca d8 b4 e5 c8 cb 0d 0a b4 f3 cf c0 c9 cf be c6 0d 0a b5 da be c5 c2 d6 bb d8 0d 0a ce d2 b2 bb ca c7 c9 b1 c9 f1 0d 0a d2 af b6 c0 d7 d4 ca d8 b3 c7 0d 0a c9 f1 c4 a7 bc cd d4 aa 0d 0a ca de c8 cb ce de cf de bd f8 bb af 32 0d 0a d0 ee ca c6 b6 f8 c9 cf 0d [TRUNCATED]
                                                        Data Ascii: RPG2TDTDII2T4BUG23_2642_orpgTD225
                                                        Dec 30, 2024 14:38:17.787635088 CET224INData Raw: fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2
                                                        Data Ascii: 312TDII
                                                        Dec 30, 2024 14:38:17.787646055 CET1236INData Raw: b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd
                                                        Data Ascii: 2TDBTORPG
                                                        Dec 30, 2024 14:38:17.787657976 CET1236INData Raw: a8 cb a2 c8 a8 cf de 0d 0a b8 df b5 d8 b1 a3 b0 b2 32 0d 0a b5 b6 c8 a6 54 44 0d 0a d7 ee bf ec b5 c4 b5 b6 ca d6 b6 af b4 fa b8 ce 0d 0a d7 ee ba f3 b5 c4 b7 c0 ca d8 0d 0a c8 ab cb e6 bb fa 54 44 0d 0a b7 a5 c4 be cd da b1 a6 b2 d8 0d 0a bd a9
                                                        Data Ascii: 2TDTD TD
                                                        Dec 30, 2024 14:38:17.787667990 CET1236INData Raw: bb b8 f9 cf c9 bc f5 c9 d9 d5 bd c1 a6 0d 0a c9 a5 ca ac b3 f6 c1 fd 0d 0a c3 fe d3 e3 b7 e8 bf f1 cc d4 bd f0 0d 0a d2 bb b8 f9 cf c9 0d 0a d2 c5 bc a3 b9 ad bc fd ca d6 0d 0a b6 b7 c2 de c9 f1 34 0d 0a b5 d8 cf c2 b3 c7 d3 eb d2 ec bd e7 c2 c3
                                                        Data Ascii: 4FORPG22
                                                        Dec 30, 2024 14:38:17.787678957 CET528INData Raw: d8 0d 0a ce e1 c3 fb ce aa bb c4 0d 0a df c7 df c7 c2 d2 c9 b1 0d 0a c9 a5 ca ac b5 ba 0d 0a d2 bb bf c3 ca f7 0d 0a d2 bb b8 f9 cb fe 0d 0a d2 bb b8 f6 cb fe 0d 0a c2 f9 bb c4 0d 0a d3 a5 d1 db 58 0d 0a d2 bb d2 b6 d5 da cc ec 0d 0a ce de cf de
                                                        Data Ascii: X222ORPGORPGVS22
                                                        Dec 30, 2024 14:38:18.014940023 CET640INData Raw: 0a c4 a7 ca de ee bf b0 ed 54 44 0d 0a d5 f0 be aa c9 fa b4 e6 0d 0a ce de cf de c9 f1 c6 f7 0d 0a c9 cf cd b7 c4 a7 cb fe 0d 0a b2 bb cb c0 d7 e5 c1 d4 c8 cb b9 d2 bb fa ca fd be dd 0d 0a c8 cc d5 df bc b2 b7 e7 b4 ab b9 d2 bb fa ca fd be dd 0d
                                                        Data Ascii: TD22
                                                        Dec 30, 2024 14:38:18.265495062 CET150OUTGET /123.txt HTTP/1.1
                                                        Accept: */*
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                        Host: 192.144.128.212
                                                        Cache-Control: no-cache
                                                        Dec 30, 2024 14:38:18.580444098 CET502INHTTP/1.1 200 OK
                                                        Content-Type: text/plain
                                                        Last-Modified: Wed, 18 Dec 2024 17:13:59 GMT
                                                        Accept-Ranges: bytes
                                                        ETag: "7314363a7051db1:0"
                                                        Server: Microsoft-IIS/8.5
                                                        Date: Mon, 30 Dec 2024 13:38:17 GMT
                                                        Content-Length: 277
                                                        Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 0d 0a ce d2 b2 bb ca c7 c9 b1 c9 f1 0d 0a bf aa b9 ad c3 bb d3 d0 bb d8 cd b7 bc fd 0d 0a b5 b6 b5 b6 bd f8 bb af 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a bd a3 ce e8 c8 fd b9 fa 0d 0a d2 bb c6 f0 c0 b4 c9 b1 bc a6 0d 0a d0 c7 bf d5 0d 0a cf f1 cb d8 bb c3 cf eb 32 0d 0a b7 a5 c4 be c9 fa b4 e6 0d 0a cc a4 cb e9 c8 fd bd e7 0d 0a d1 f8 bc a6 c9 fa b4 e6 0d 0a d2 bb c9 ed c9 f1 d7 b0 33 0d 0a b7 e7 c6 f0 0d 0a ca ae b5 ee d1 d6 c2 de 32 0d 0a d3 a2 c1 e9 b4 ab cb b5 0d 0a d2 bb d2 b6 d5 da cc ec 0d 0a cc ec bd a3 c8 fd b9 fa 0d 0a bd d6 bb fa c2 d2 b6 b7 54 44 0d 0a cf c9 c8 cb d6 ae c9 cf 0d 0a b2 bb cb c0 ce e4 b7 f2 49 49 0d 0a 0d 0a d2 d4 c9 cf b6 bc ca c7 c8 c8 c3 c5 cd bc 0d 0a b5 e3 bb f7 bf c9 d2 d4 bf ec cb d9 d1 a1 cd bc
                                                        Data Ascii: 232TDII
                                                        Dec 30, 2024 14:38:21.624552965 CET183OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                        Accept: */*
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                        Host: 192.144.128.212
                                                        Cache-Control: no-cache
                                                        Dec 30, 2024 14:38:21.936119080 CET1236INHTTP/1.1 200 OK
                                                        Content-Type: text/plain
                                                        Last-Modified: Mon, 30 Dec 2024 03:20:48 GMT
                                                        Accept-Ranges: bytes
                                                        ETag: "a8947dd2695adb1:0"
                                                        Server: Microsoft-IIS/8.5
                                                        Date: Mon, 30 Dec 2024 13:38:22 GMT
                                                        Content-Length: 6110
                                                        Data Raw: d7 ac b9 bb d2 bb b0 d9 d2 da 0d 0a d4 aa cb d8 bd f8 bb af 0d 0a d2 bb d5 c5 bb b3 be c9 52 50 47 0d 0a c9 f1 e1 db d6 ae c2 b7 0d 0a c9 b3 c4 ae c2 cc d6 de 0d 0a b1 a9 b4 f2 c8 fd b9 fa 32 0d 0a ce d2 b5 c4 bc fd c9 f1 ca c0 bd e7 0d 0a d2 c5 ca a7 c2 d6 bb d8 0d 0a ce e5 c9 fa ca d3 bd e7 0d 0a bb ec c2 d2 ce e4 c1 d6 54 44 b5 b6 bd a3 c8 e7 c3 ce 0d 0a d5 e6 d0 de cf c9 54 44 0d 0a ce d2 d2 aa c9 b1 c9 b1 bc a6 0d 0a bf aa be d6 d2 bb cc f5 f6 ef d7 a8 cb a2 c8 a8 cf de 0d 0a cc ec c3 fc c9 f1 bd e7 0d 0a cf c2 b0 d1 b1 d8 cd a8 0d 0a ce de be a1 bf f1 bb b6 0d 0a ce d2 cf d6 d4 da d6 bb cf eb b7 c5 ce de cb ab 0d 0a ce ca b6 a6 cc a4 cc ec 0d 0a bf aa be d6 d2 bb cc f5 f6 ef 0d 0a d2 bb d5 c5 ba dc c4 d1 b5 c4 b7 c0 ca d8 cd bc 49 49 0d 0a ca d8 b4 e5 c8 cb 0d 0a b4 f3 cf c0 c9 cf be c6 0d 0a b5 da be c5 c2 d6 bb d8 0d 0a ce d2 b2 bb ca c7 c9 b1 c9 f1 0d 0a d2 af b6 c0 d7 d4 ca d8 b3 c7 0d 0a c9 f1 c4 a7 bc cd d4 aa 0d 0a ca de c8 cb ce de cf de bd f8 bb af 32 0d 0a d0 ee ca c6 b6 f8 c9 cf 0d [TRUNCATED]
                                                        Data Ascii: RPG2TDTDII2T4BUG23_2642_orpgTD225
                                                        Dec 30, 2024 14:38:21.936139107 CET1236INData Raw: fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2
                                                        Data Ascii: 312TDII
                                                        Dec 30, 2024 14:38:21.936151028 CET448INData Raw: b0 0d 0a ce d2 c4 dc b4 b3 bc b8 b9 d8 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 0d 0a bf aa cf e4 c9 fa b4 e6 0d 0a ca ae b5 ee d1 d6 c2 de 32 b2 e2 ca d4 0d 0a c6 e5 c5 cc ce f7 d3 ce b1 b8 d3 c3 0d 0a b2 bb cb c0 ce e4 b7 f2 49 49 0d 0a
                                                        Data Ascii: 2II2TD2
                                                        Dec 30, 2024 14:38:21.936253071 CET1236INData Raw: c9 c8 cb d6 ae c9 cf b8 df ca d6 cc d7 b2 cd 0d 0a c6 e5 c5 cc ce f7 d3 ce d7 a8 cb a2 c8 a8 cf de 0d 0a d3 e3 c8 cb d5 f2 c9 fa b4 e6 0d 0a d4 d3 d3 e3 d6 ae cd f5 0d 0a d6 d8 c9 fa d6 ae ba a3 b5 ba b8 ee b2 dd 0d 0a c3 d4 ca a7 c9 ad c1 d6 0d
                                                        Data Ascii: 2RAIDTD2024ORPG
                                                        Dec 30, 2024 14:38:21.936265945 CET1236INData Raw: d0 c2 0d 0a ce d2 b5 c4 cf b5 cd b3 d5 e6 c5 a3 c6 a4 32 0d 0a cb c4 c9 fa ca d3 bd e7 0d 0a ce d2 d0 de cf c9 b5 c4 c4 c7 d0 a9 c4 ea 0d 0a d5 bd b3 b5 d0 a1 b6 d3 0d 0a b5 f6 d3 e3 54 44 0d 0a ce d2 d0 de b5 c4 ca c7 bc d9 cf c9 c2 f0 0d 0a b7
                                                        Data Ascii: 2TD22
                                                        Dec 30, 2024 14:38:22.495388031 CET150OUTGET /123.txt HTTP/1.1
                                                        Accept: */*
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                        Host: 192.144.128.212
                                                        Cache-Control: no-cache
                                                        Dec 30, 2024 14:38:22.811219931 CET502INHTTP/1.1 200 OK
                                                        Content-Type: text/plain
                                                        Last-Modified: Wed, 18 Dec 2024 17:13:59 GMT
                                                        Accept-Ranges: bytes
                                                        ETag: "7314363a7051db1:0"
                                                        Server: Microsoft-IIS/8.5
                                                        Date: Mon, 30 Dec 2024 13:38:22 GMT
                                                        Content-Length: 277
                                                        Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 0d 0a ce d2 b2 bb ca c7 c9 b1 c9 f1 0d 0a bf aa b9 ad c3 bb d3 d0 bb d8 cd b7 bc fd 0d 0a b5 b6 b5 b6 bd f8 bb af 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a bd a3 ce e8 c8 fd b9 fa 0d 0a d2 bb c6 f0 c0 b4 c9 b1 bc a6 0d 0a d0 c7 bf d5 0d 0a cf f1 cb d8 bb c3 cf eb 32 0d 0a b7 a5 c4 be c9 fa b4 e6 0d 0a cc a4 cb e9 c8 fd bd e7 0d 0a d1 f8 bc a6 c9 fa b4 e6 0d 0a d2 bb c9 ed c9 f1 d7 b0 33 0d 0a b7 e7 c6 f0 0d 0a ca ae b5 ee d1 d6 c2 de 32 0d 0a d3 a2 c1 e9 b4 ab cb b5 0d 0a d2 bb d2 b6 d5 da cc ec 0d 0a cc ec bd a3 c8 fd b9 fa 0d 0a bd d6 bb fa c2 d2 b6 b7 54 44 0d 0a cf c9 c8 cb d6 ae c9 cf 0d 0a b2 bb cb c0 ce e4 b7 f2 49 49 0d 0a 0d 0a d2 d4 c9 cf b6 bc ca c7 c8 c8 c3 c5 cd bc 0d 0a b5 e3 bb f7 bf c9 d2 d4 bf ec cb d9 d1 a1 cd bc
                                                        Data Ascii: 232TDII


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.449737192.144.128.212805888C:\Users\user\Desktop\S17.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 30, 2024 14:38:49.102454901 CET183OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                        Accept: */*
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                        Host: 192.144.128.212
                                                        Cache-Control: no-cache
                                                        Dec 30, 2024 14:38:50.009041071 CET1236INHTTP/1.1 200 OK
                                                        Content-Type: text/plain
                                                        Last-Modified: Mon, 30 Dec 2024 03:20:48 GMT
                                                        Accept-Ranges: bytes
                                                        ETag: "a8947dd2695adb1:0"
                                                        Server: Microsoft-IIS/8.5
                                                        Date: Mon, 30 Dec 2024 13:38:50 GMT
                                                        Content-Length: 6110
                                                        Data Raw: d7 ac b9 bb d2 bb b0 d9 d2 da 0d 0a d4 aa cb d8 bd f8 bb af 0d 0a d2 bb d5 c5 bb b3 be c9 52 50 47 0d 0a c9 f1 e1 db d6 ae c2 b7 0d 0a c9 b3 c4 ae c2 cc d6 de 0d 0a b1 a9 b4 f2 c8 fd b9 fa 32 0d 0a ce d2 b5 c4 bc fd c9 f1 ca c0 bd e7 0d 0a d2 c5 ca a7 c2 d6 bb d8 0d 0a ce e5 c9 fa ca d3 bd e7 0d 0a bb ec c2 d2 ce e4 c1 d6 54 44 b5 b6 bd a3 c8 e7 c3 ce 0d 0a d5 e6 d0 de cf c9 54 44 0d 0a ce d2 d2 aa c9 b1 c9 b1 bc a6 0d 0a bf aa be d6 d2 bb cc f5 f6 ef d7 a8 cb a2 c8 a8 cf de 0d 0a cc ec c3 fc c9 f1 bd e7 0d 0a cf c2 b0 d1 b1 d8 cd a8 0d 0a ce de be a1 bf f1 bb b6 0d 0a ce d2 cf d6 d4 da d6 bb cf eb b7 c5 ce de cb ab 0d 0a ce ca b6 a6 cc a4 cc ec 0d 0a bf aa be d6 d2 bb cc f5 f6 ef 0d 0a d2 bb d5 c5 ba dc c4 d1 b5 c4 b7 c0 ca d8 cd bc 49 49 0d 0a ca d8 b4 e5 c8 cb 0d 0a b4 f3 cf c0 c9 cf be c6 0d 0a b5 da be c5 c2 d6 bb d8 0d 0a ce d2 b2 bb ca c7 c9 b1 c9 f1 0d 0a d2 af b6 c0 d7 d4 ca d8 b3 c7 0d 0a c9 f1 c4 a7 bc cd d4 aa 0d 0a ca de c8 cb ce de cf de bd f8 bb af 32 0d 0a d0 ee ca c6 b6 f8 c9 cf 0d [TRUNCATED]
                                                        Data Ascii: RPG2TDTDII2T4BUG23_2642_orpgTD225
                                                        Dec 30, 2024 14:38:50.009057045 CET1236INData Raw: fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2
                                                        Data Ascii: 312TDII
                                                        Dec 30, 2024 14:38:50.009068012 CET1236INData Raw: b0 0d 0a ce d2 c4 dc b4 b3 bc b8 b9 d8 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 0d 0a bf aa cf e4 c9 fa b4 e6 0d 0a ca ae b5 ee d1 d6 c2 de 32 b2 e2 ca d4 0d 0a c6 e5 c5 cc ce f7 d3 ce b1 b8 d3 c3 0d 0a b2 bb cb c0 ce e4 b7 f2 49 49 0d 0a
                                                        Data Ascii: 2II2TD2
                                                        Dec 30, 2024 14:38:50.009078979 CET1236INData Raw: a8 cf de 0d 0a d0 a1 d0 a1 bd a3 ca a5 d7 a8 cb a2 c8 a8 cf de 0d 0a d2 bb c4 ee cd a8 cc ec d7 a8 cb a2 c8 a8 cf de 0d 0a cb c4 c9 fa ca d3 bd e7 d7 a8 cb a2 c8 a8 cf de 0d 0a b7 e7 b1 a9 d5 bd bc c7 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 fc d4 cb 46
                                                        Data Ascii: F38.26
                                                        Dec 30, 2024 14:38:50.009090900 CET752INData Raw: c9 fa b4 e6 0d 0a ba da bb ea c6 f4 ca be c2 bc 0d 0a ce d2 d4 da c3 f7 c4 a9 b5 b1 bd ab be fc 0d 0a be f8 ca c0 ce e4 bb ea 0d 0a ce de d6 b0 d7 aa c9 fa 0d 0a ce f7 b7 bd ca c0 bd e7 b5 c4 bd d9 c4 d1 37 0d 0a b6 b7 d5 bd c9 f1 bd ab 0d 0a bb
                                                        Data Ascii: 7
                                                        Dec 30, 2024 14:38:50.239670992 CET640INData Raw: 0a c4 a7 ca de ee bf b0 ed 54 44 0d 0a d5 f0 be aa c9 fa b4 e6 0d 0a ce de cf de c9 f1 c6 f7 0d 0a c9 cf cd b7 c4 a7 cb fe 0d 0a b2 bb cb c0 d7 e5 c1 d4 c8 cb b9 d2 bb fa ca fd be dd 0d 0a c8 cc d5 df bc b2 b7 e7 b4 ab b9 d2 bb fa ca fd be dd 0d
                                                        Data Ascii: TD22
                                                        Dec 30, 2024 14:38:50.491813898 CET150OUTGET /123.txt HTTP/1.1
                                                        Accept: */*
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                        Host: 192.144.128.212
                                                        Cache-Control: no-cache
                                                        Dec 30, 2024 14:38:50.812475920 CET502INHTTP/1.1 200 OK
                                                        Content-Type: text/plain
                                                        Last-Modified: Wed, 18 Dec 2024 17:13:59 GMT
                                                        Accept-Ranges: bytes
                                                        ETag: "7314363a7051db1:0"
                                                        Server: Microsoft-IIS/8.5
                                                        Date: Mon, 30 Dec 2024 13:38:50 GMT
                                                        Content-Length: 277
                                                        Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 0d 0a ce d2 b2 bb ca c7 c9 b1 c9 f1 0d 0a bf aa b9 ad c3 bb d3 d0 bb d8 cd b7 bc fd 0d 0a b5 b6 b5 b6 bd f8 bb af 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a bd a3 ce e8 c8 fd b9 fa 0d 0a d2 bb c6 f0 c0 b4 c9 b1 bc a6 0d 0a d0 c7 bf d5 0d 0a cf f1 cb d8 bb c3 cf eb 32 0d 0a b7 a5 c4 be c9 fa b4 e6 0d 0a cc a4 cb e9 c8 fd bd e7 0d 0a d1 f8 bc a6 c9 fa b4 e6 0d 0a d2 bb c9 ed c9 f1 d7 b0 33 0d 0a b7 e7 c6 f0 0d 0a ca ae b5 ee d1 d6 c2 de 32 0d 0a d3 a2 c1 e9 b4 ab cb b5 0d 0a d2 bb d2 b6 d5 da cc ec 0d 0a cc ec bd a3 c8 fd b9 fa 0d 0a bd d6 bb fa c2 d2 b6 b7 54 44 0d 0a cf c9 c8 cb d6 ae c9 cf 0d 0a b2 bb cb c0 ce e4 b7 f2 49 49 0d 0a 0d 0a d2 d4 c9 cf b6 bc ca c7 c8 c8 c3 c5 cd bc 0d 0a b5 e3 bb f7 bf c9 d2 d4 bf ec cb d9 d1 a1 cd bc
                                                        Data Ascii: 232TDII
                                                        Dec 30, 2024 14:38:53.842912912 CET183OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                        Accept: */*
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                        Host: 192.144.128.212
                                                        Cache-Control: no-cache
                                                        Dec 30, 2024 14:38:54.165783882 CET1236INHTTP/1.1 200 OK
                                                        Content-Type: text/plain
                                                        Last-Modified: Mon, 30 Dec 2024 03:20:48 GMT
                                                        Accept-Ranges: bytes
                                                        ETag: "a8947dd2695adb1:0"
                                                        Server: Microsoft-IIS/8.5
                                                        Date: Mon, 30 Dec 2024 13:38:53 GMT
                                                        Content-Length: 6110
                                                        Data Raw: d7 ac b9 bb d2 bb b0 d9 d2 da 0d 0a d4 aa cb d8 bd f8 bb af 0d 0a d2 bb d5 c5 bb b3 be c9 52 50 47 0d 0a c9 f1 e1 db d6 ae c2 b7 0d 0a c9 b3 c4 ae c2 cc d6 de 0d 0a b1 a9 b4 f2 c8 fd b9 fa 32 0d 0a ce d2 b5 c4 bc fd c9 f1 ca c0 bd e7 0d 0a d2 c5 ca a7 c2 d6 bb d8 0d 0a ce e5 c9 fa ca d3 bd e7 0d 0a bb ec c2 d2 ce e4 c1 d6 54 44 b5 b6 bd a3 c8 e7 c3 ce 0d 0a d5 e6 d0 de cf c9 54 44 0d 0a ce d2 d2 aa c9 b1 c9 b1 bc a6 0d 0a bf aa be d6 d2 bb cc f5 f6 ef d7 a8 cb a2 c8 a8 cf de 0d 0a cc ec c3 fc c9 f1 bd e7 0d 0a cf c2 b0 d1 b1 d8 cd a8 0d 0a ce de be a1 bf f1 bb b6 0d 0a ce d2 cf d6 d4 da d6 bb cf eb b7 c5 ce de cb ab 0d 0a ce ca b6 a6 cc a4 cc ec 0d 0a bf aa be d6 d2 bb cc f5 f6 ef 0d 0a d2 bb d5 c5 ba dc c4 d1 b5 c4 b7 c0 ca d8 cd bc 49 49 0d 0a ca d8 b4 e5 c8 cb 0d 0a b4 f3 cf c0 c9 cf be c6 0d 0a b5 da be c5 c2 d6 bb d8 0d 0a ce d2 b2 bb ca c7 c9 b1 c9 f1 0d 0a d2 af b6 c0 d7 d4 ca d8 b3 c7 0d 0a c9 f1 c4 a7 bc cd d4 aa 0d 0a ca de c8 cb ce de cf de bd f8 bb af 32 0d 0a d0 ee ca c6 b6 f8 c9 cf 0d [TRUNCATED]
                                                        Data Ascii: RPG2TDTDII2T4BUG23_2642_orpgTD225
                                                        Dec 30, 2024 14:38:54.165800095 CET1236INData Raw: fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2
                                                        Data Ascii: 312TDII
                                                        Dec 30, 2024 14:38:54.165812016 CET1236INData Raw: b0 0d 0a ce d2 c4 dc b4 b3 bc b8 b9 d8 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 0d 0a bf aa cf e4 c9 fa b4 e6 0d 0a ca ae b5 ee d1 d6 c2 de 32 b2 e2 ca d4 0d 0a c6 e5 c5 cc ce f7 d3 ce b1 b8 d3 c3 0d 0a b2 bb cb c0 ce e4 b7 f2 49 49 0d 0a
                                                        Data Ascii: 2II2TD2
                                                        Dec 30, 2024 14:38:54.165822983 CET672INData Raw: a8 cf de 0d 0a d0 a1 d0 a1 bd a3 ca a5 d7 a8 cb a2 c8 a8 cf de 0d 0a d2 bb c4 ee cd a8 cc ec d7 a8 cb a2 c8 a8 cf de 0d 0a cb c4 c9 fa ca d3 bd e7 d7 a8 cb a2 c8 a8 cf de 0d 0a b7 e7 b1 a9 d5 bd bc c7 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 fc d4 cb 46
                                                        Data Ascii: F38.26
                                                        Dec 30, 2024 14:38:54.166129112 CET1236INData Raw: a5 d0 de b8 b4 d2 ec b3 a3 0d 0a d0 a1 d0 a1 bd a3 ca a5 cd a8 b9 d8 d7 b0 b1 b8 0d 0a bb af b7 b2 b3 c9 c9 f1 0d 0a d0 a1 d0 a1 bd a3 ca a5 0d 0a c2 d2 ca c0 c3 a7 bb c4 0d 0a d0 c2 c9 fa cf c8 d0 d0 b0 e6 0d 0a be ab c1 e9 b9 ad ca d6 0d 0a c8
                                                        Data Ascii: BT2ORPG202223
                                                        Dec 30, 2024 14:38:54.166167974 CET720INData Raw: e6 0d 0a bb c3 cf eb d6 ae b5 d8 4f 52 50 47 0d 0a b9 e9 d0 e6 d6 ae be b3 0d 0a d3 a2 d0 db d4 d9 cf d6 33 0d 0a b3 ac b1 e4 b2 bb cb c0 d7 e5 bd f8 bb af 0d 0a c8 cc d5 df bc b2 b7 e7 b4 ab 0d 0a b5 b1 bd a9 ca ac c0 b4 c7 c3 c3 c5 32 0d 0a c4
                                                        Data Ascii: ORPG32TD
                                                        Dec 30, 2024 14:38:54.339903116 CET150OUTGET /123.txt HTTP/1.1
                                                        Accept: */*
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                        Host: 192.144.128.212
                                                        Cache-Control: no-cache
                                                        Dec 30, 2024 14:38:54.660506964 CET502INHTTP/1.1 200 OK
                                                        Content-Type: text/plain
                                                        Last-Modified: Wed, 18 Dec 2024 17:13:59 GMT
                                                        Accept-Ranges: bytes
                                                        ETag: "7314363a7051db1:0"
                                                        Server: Microsoft-IIS/8.5
                                                        Date: Mon, 30 Dec 2024 13:38:53 GMT
                                                        Content-Length: 277
                                                        Data Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 0d 0a ce d2 b2 bb ca c7 c9 b1 c9 f1 0d 0a bf aa b9 ad c3 bb d3 d0 bb d8 cd b7 bc fd 0d 0a b5 b6 b5 b6 bd f8 bb af 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a bd a3 ce e8 c8 fd b9 fa 0d 0a d2 bb c6 f0 c0 b4 c9 b1 bc a6 0d 0a d0 c7 bf d5 0d 0a cf f1 cb d8 bb c3 cf eb 32 0d 0a b7 a5 c4 be c9 fa b4 e6 0d 0a cc a4 cb e9 c8 fd bd e7 0d 0a d1 f8 bc a6 c9 fa b4 e6 0d 0a d2 bb c9 ed c9 f1 d7 b0 33 0d 0a b7 e7 c6 f0 0d 0a ca ae b5 ee d1 d6 c2 de 32 0d 0a d3 a2 c1 e9 b4 ab cb b5 0d 0a d2 bb d2 b6 d5 da cc ec 0d 0a cc ec bd a3 c8 fd b9 fa 0d 0a bd d6 bb fa c2 d2 b6 b7 54 44 0d 0a cf c9 c8 cb d6 ae c9 cf 0d 0a b2 bb cb c0 ce e4 b7 f2 49 49 0d 0a 0d 0a d2 d4 c9 cf b6 bc ca c7 c8 c8 c3 c5 cd bc 0d 0a b5 e3 bb f7 bf c9 d2 d4 bf ec cb d9 d1 a1 cd bc
                                                        Data Ascii: 232TDII


                                                        Click to jump to process

                                                        Click to jump to process

                                                        Click to dive into process behavior distribution

                                                        Click to jump to process

                                                        Target ID:0
                                                        Start time:08:37:57
                                                        Start date:30/12/2024
                                                        Path:C:\Users\user\Desktop\S17.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\S17.exe"
                                                        Imagebase:0x400000
                                                        File size:4'947'968 bytes
                                                        MD5 hash:6A10C76E5B4D264EA9584ED40413CEA6
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:false

                                                        Target ID:5
                                                        Start time:08:38:40
                                                        Start date:30/12/2024
                                                        Path:C:\Users\user\Desktop\S17.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\S17.exe"
                                                        Imagebase:0x400000
                                                        File size:4'947'968 bytes
                                                        MD5 hash:6A10C76E5B4D264EA9584ED40413CEA6
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:false

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:8.2%
                                                          Dynamic/Decrypted Code Coverage:59.3%
                                                          Signature Coverage:31%
                                                          Total number of Nodes:578
                                                          Total number of Limit Nodes:25
                                                          execution_graph 22674 10027008 6 API calls 22675 10027c08 HeapReAlloc HeapAlloc 22676 10029610 FreeLibrary 22737 10026f15 21 API calls 22679 10027218 31 API calls 22680 4b5250 HeapFree 22681 10026c1e 22 API calls 22682 1001221f 72 API calls 22740 51d374 RtlUnwind 22685 4ac460 67 API calls 22616 4b4c60 22619 4b4c40 22616->22619 22622 4ac9a0 22619->22622 22621 4b4c51 22623 4ac9cb 22622->22623 22624 4aca63 22622->22624 22625 4ac9ea 22623->22625 22629 4ac9f3 GetProcAddress 22623->22629 22630 4aca91 22624->22630 22655 4acc46 22624->22655 22667 51b198 6 API calls 22624->22667 22665 51b198 6 API calls 22625->22665 22635 4aca13 22629->22635 22636 4acbcf 22630->22636 22638 4acabc 22630->22638 22632 4acbd4 LoadLibraryA 22634 4acbe4 GetProcAddress 22632->22634 22632->22636 22633 4aca4d 22633->22621 22634->22636 22666 4ac980 35 API calls 22635->22666 22636->22632 22639 4acc2a 22636->22639 22640 4acc16 FreeLibrary 22636->22640 22637 4acb9a LoadLibraryA 22637->22639 22643 4acba7 GetProcAddress 22637->22643 22638->22637 22641 4acae8 22638->22641 22642 4acb10 22638->22642 22646 4acc3f FreeLibrary 22639->22646 22639->22655 22640->22636 22645 52c7fd 32 API calls 22641->22645 22659 52c7fd 22642->22659 22643->22639 22644 4acbb7 22643->22644 22644->22639 22649 4acaf4 LoadLibraryA 22645->22649 22646->22655 22648 4acb26 22650 52c7fd 32 API calls 22648->22650 22651 4acb04 22649->22651 22652 4acb3a LoadLibraryA 22650->22652 22651->22642 22651->22643 22653 4acb4a 22652->22653 22653->22643 22654 4acb92 22653->22654 22656 52c7fd 32 API calls 22653->22656 22654->22637 22654->22643 22655->22621 22657 4acb82 LoadLibraryA 22656->22657 22658 52c5b4 22657->22658 22658->22654 22660 52c807 __EH_prolog 22659->22660 22661 52c826 lstrlenA 22660->22661 22662 52c822 22660->22662 22661->22662 22668 52c759 22662->22668 22664 52c844 22664->22648 22665->22629 22666->22633 22667->22630 22669 52c76d 22668->22669 22671 52c773 22668->22671 22670 52c421 31 API calls 22669->22670 22670->22671 22671->22664 22686 4b6a60 GetDeviceCaps MulDiv ReleaseDC 22687 10026e2e 35 API calls 22743 10026f34 35 API calls 22744 10026d35 86 API calls 22690 100249fb 25 API calls 22691 10026c3d 21 API calls 22021 10027c40 22022 10027c86 22021->22022 22023 10027c4d 22021->22023 22024 10027c56 22023->22024 22025 10027c5b 22023->22025 22029 10027ae0 GetModuleHandleA 22024->22029 22025->22022 22027 10027c6b IsBadReadPtr 22025->22027 22027->22022 22028 10027c78 RtlFreeHeap 22027->22028 22028->22022 22029->22025 22693 4b5000 10 API calls 22030 10027a50 22031 10027a61 22030->22031 22032 10027a8a 22030->22032 22031->22032 22033 10027a64 22031->22033 22048 10026b52 ReleaseMutex NtClose 22032->22048 22042 10027aa0 GetProcessHeap 22033->22042 22036 10027a9b 22041 10027a85 22043 10027a6f 22042->22043 22044 10029790 22043->22044 22049 10027474 22044->22049 22047 10026b52 ReleaseMutex NtClose 22047->22041 22048->22036 22050 1002747c 22049->22050 22053 10018a96 22050->22053 22052 10027481 22052->22047 22054 10018aab 22053->22054 22057 10018ad3 22054->22057 22056 10018ab0 22056->22052 22058 10018aee 22057->22058 22104 10018eea CreateMutexA 22058->22104 22060 10018af3 22061 10018eea CreateMutexA 22060->22061 22062 10018afd HeapCreate 22061->22062 22063 10018b3a HeapCreate 22062->22063 22064 10018b23 22062->22064 22065 10018b60 22063->22065 22064->22063 22106 1000188f 22065->22106 22067 10018bc0 22112 1000b61e 22067->22112 22069 10018bdc 22070 1000188f 17 API calls 22069->22070 22071 10018c3b 22070->22071 22072 1000b61e 7 API calls 22071->22072 22073 10018c57 22072->22073 22074 1000188f 17 API calls 22073->22074 22075 10018cb6 22074->22075 22076 1000b61e 7 API calls 22075->22076 22077 10018cd2 22076->22077 22078 1000188f 17 API calls 22077->22078 22079 10018d31 22078->22079 22080 1000b61e 7 API calls 22079->22080 22081 10018d4d 22080->22081 22082 1000188f 17 API calls 22081->22082 22083 10018dac 22082->22083 22084 1000b61e 7 API calls 22083->22084 22085 10018dc8 22084->22085 22118 1000710e 22085->22118 22087 10018df2 22128 10018f34 22087->22128 22089 10018dfc 22142 100191e3 22089->22142 22091 10018e06 22154 1000ff10 22091->22154 22093 10018e37 22163 100114f9 22093->22163 22095 10018e43 22096 1000ff10 18 API calls 22095->22096 22097 10018e8f 22096->22097 22098 100114f9 18 API calls 22097->22098 22099 10018e9b 22098->22099 22169 10019f4c 22099->22169 22103 10018ecc 22103->22056 22105 10018f14 22104->22105 22105->22060 22111 100018bd 22106->22111 22107 10001ac2 22180 100283f0 22107->22180 22110 10001ae8 22110->22067 22111->22107 22207 10028090 _CIfmod 22111->22207 22113 1000b631 22112->22113 22219 1000b75c 22113->22219 22115 1000b65c 22116 1000b6cb LdrGetDllHandleEx 22115->22116 22117 1000b6ee 22116->22117 22117->22069 22119 10007121 22118->22119 22120 100071de GetVersionExA 22119->22120 22121 10007273 22120->22121 22242 10027ca0 22121->22242 22123 100072d2 22124 10007362 GetSystemInfo 22123->22124 22127 100074c6 22123->22127 22125 100073f5 22124->22125 22126 10007495 RtlGetNtVersionNumbers 22125->22126 22126->22127 22127->22087 22129 10018f4e 22128->22129 22131 10018f7e 22129->22131 22250 100289c0 22129->22250 22131->22089 22132 10018fad 22133 1000b61e 7 API calls 22132->22133 22134 10019053 22133->22134 22135 1000188f 17 API calls 22134->22135 22136 10019077 22135->22136 22137 10019081 22136->22137 22255 10006051 LdrGetProcedureAddress 22137->22255 22139 1001918a 22139->22131 22140 100190a4 22140->22139 22256 10001d56 IsBadCodePtr 22140->22256 22143 10019205 22142->22143 22145 10019212 22143->22145 22258 100188e1 22143->22258 22145->22091 22146 10019221 22263 100193c2 22146->22263 22148 100192bd 22149 100193c2 38 API calls 22148->22149 22150 10019331 22149->22150 22283 100198cc 25 API calls 22150->22283 22152 1001936a 22284 100198cc 25 API calls 22152->22284 22306 10027f20 22154->22306 22156 1000ff39 22157 10027f20 4 API calls 22156->22157 22158 1000ff58 22157->22158 22159 1000ffe0 RtlComputeCrc32 22158->22159 22160 10010003 22159->22160 22319 10010057 22160->22319 22162 10010034 22162->22093 22164 1001150f 22163->22164 22168 10011520 22163->22168 22165 1000188f 17 API calls 22164->22165 22165->22168 22166 10001d56 IsBadCodePtr 22167 1001161a 22166->22167 22167->22095 22168->22166 22170 10018ec7 22169->22170 22171 10019f74 22169->22171 22179 1001a236 47 API calls 22170->22179 22342 10019ff3 22171->22342 22175 10019fd3 22351 10007fdd 22175->22351 22177 10019fa2 22177->22175 22178 1001a0ce 21 API calls 22177->22178 22178->22177 22179->22103 22181 10028478 22180->22181 22190 1002840f 22180->22190 22182 10028483 22181->22182 22183 10028574 22181->22183 22184 10028489 22182->22184 22185 1002854f sprintf 22182->22185 22186 100285f2 22183->22186 22187 1002857b 22183->22187 22193 10028517 22184->22193 22194 100284f9 22184->22194 22195 1002858f sprintf 22184->22195 22204 1002849e 22184->22204 22206 10028674 22184->22206 22185->22204 22191 1002862a sprintf 22186->22191 22192 100285f9 22186->22192 22188 100285ce sprintf 22187->22188 22189 1002857d 22187->22189 22188->22204 22196 10028584 22189->22196 22197 100285ae sprintf 22189->22197 22190->22206 22208 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22190->22208 22191->22204 22198 10028604 sprintf 22192->22198 22192->22206 22210 10029dc0 6 API calls 22193->22210 22209 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22194->22209 22195->22204 22196->22195 22196->22206 22197->22204 22198->22204 22202 10028469 22202->22110 22203 10028508 22203->22110 22204->22206 22211 10027bb0 22204->22211 22206->22110 22207->22111 22208->22202 22209->22203 22210->22204 22212 10027bc4 RtlAllocateHeap 22211->22212 22213 10027bb9 GetProcessHeap 22211->22213 22214 10027bf5 22212->22214 22215 10027bd9 MessageBoxA 22212->22215 22213->22212 22214->22206 22218 10027b10 ExitProcess 22215->22218 22217 10027bf2 22217->22214 22218->22217 22220 1000b76f 22219->22220 22223 1000210d 22220->22223 22222 1000b7c1 22222->22115 22224 1000212e 22223->22224 22225 10002149 MultiByteToWideChar 22224->22225 22226 10002178 22225->22226 22231 100021b9 22226->22231 22235 100280c0 22226->22235 22228 100021dc 22229 1000220e MultiByteToWideChar 22228->22229 22230 10002239 22229->22230 22230->22231 22240 100286c0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22230->22240 22231->22222 22233 100022ce 22233->22231 22241 100286f0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22233->22241 22236 100280c9 22235->22236 22237 100280cd 22235->22237 22236->22228 22238 10027bb0 4 API calls 22237->22238 22239 100280d6 22238->22239 22239->22228 22240->22233 22241->22231 22243 10027cb1 22242->22243 22246 10027cb6 22242->22246 22249 10027ae0 GetModuleHandleA 22243->22249 22245 10027d14 22245->22123 22246->22245 22247 10027bb0 4 API calls 22246->22247 22248 10027cf9 22247->22248 22248->22123 22249->22246 22251 100289c9 22250->22251 22252 100289cd 22250->22252 22251->22132 22253 10027bb0 4 API calls 22252->22253 22254 100289d8 22253->22254 22254->22132 22255->22140 22257 10001d82 22256->22257 22257->22139 22259 100289c0 4 API calls 22258->22259 22260 1001890c 22259->22260 22261 10018926 GetSystemDirectoryA 22260->22261 22262 10018944 22261->22262 22262->22146 22264 100193ea 22263->22264 22285 100294c0 22264->22285 22266 10019463 22267 1001947d CopyFileA 22266->22267 22268 100194a0 22267->22268 22292 10028d40 CreateFileA 22268->22292 22270 100194da 22271 10028d40 8 API calls 22270->22271 22272 10019550 22270->22272 22271->22272 22297 10028e50 DeleteFileA 22272->22297 22274 1001959d 22298 10006495 22274->22298 22276 100195b3 22277 100195e3 RtlAllocateHeap 22276->22277 22280 10019832 22276->22280 22278 1001960e 22277->22278 22304 10008edd 26 API calls 22278->22304 22280->22148 22282 1001966e 22305 100094fb 26 API calls 22282->22305 22283->22152 22284->22145 22286 100294d1 GetTempPathA 22285->22286 22287 100294e5 22285->22287 22286->22287 22288 10029543 GetTickCount wsprintfA PathFileExistsA 22287->22288 22288->22288 22289 1002956b 22288->22289 22290 10027bb0 4 API calls 22289->22290 22291 1002957f 22290->22291 22291->22266 22293 10028d64 GetFileSize 22292->22293 22294 10028da9 22292->22294 22295 10027bb0 4 API calls 22293->22295 22294->22270 22296 10028d7d ReadFile CloseHandle 22295->22296 22296->22294 22297->22274 22299 100064ad 22298->22299 22300 1000652f RtlMoveMemory 22299->22300 22303 1000679e 22299->22303 22301 10006669 22300->22301 22302 10027ca0 5 API calls 22301->22302 22302->22303 22303->22276 22304->22282 22305->22280 22307 10027f40 22306->22307 22309 10027f80 22307->22309 22310 10027f4c 22307->22310 22308 10027feb 22308->22156 22309->22308 22311 10027fc2 22309->22311 22312 10027f9b 22309->22312 22327 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22310->22327 22329 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22311->22329 22328 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22312->22328 22315 10027f76 22315->22156 22316 10027fb8 22316->22156 22318 10027fe1 22318->22156 22320 1001006f 22319->22320 22321 100283f0 16 API calls 22320->22321 22322 10010097 22321->22322 22330 10028ad0 22322->22330 22324 100100cc 22337 10028b30 22324->22337 22326 10010173 22326->22162 22327->22315 22328->22316 22329->22318 22331 10028b23 22330->22331 22332 10028ae4 22330->22332 22331->22324 22332->22331 22333 10027bb0 4 API calls 22332->22333 22334 10028afa 22333->22334 22335 10028b05 strncpy 22334->22335 22336 10028b19 22334->22336 22335->22335 22335->22336 22336->22324 22338 10028b91 22337->22338 22339 10028b45 22337->22339 22338->22326 22339->22338 22340 10027bb0 4 API calls 22339->22340 22341 10028b68 22340->22341 22341->22326 22343 1001a00d 22342->22343 22358 1001a031 22343->22358 22346 1001a0ce 22347 10027f20 4 API calls 22346->22347 22348 1001a0f7 22347->22348 22373 1001a199 22348->22373 22350 1001a16d 22350->22177 22352 100280c0 4 API calls 22351->22352 22353 1000800f 22352->22353 22384 10007db8 22353->22384 22356 10008069 NtClose 22357 1000807e 22356->22357 22357->22170 22359 1001a047 22358->22359 22367 1001a0a1 22358->22367 22360 1000188f 17 API calls 22359->22360 22362 1001a058 22360->22362 22372 100031b3 6 API calls 22362->22372 22363 10019f88 22363->22170 22363->22346 22365 1001a087 InterlockedExchange 22365->22367 22366 1001a074 22366->22365 22368 10004b1b 22367->22368 22369 10004b2e 22368->22369 22370 10004b3d 22368->22370 22369->22363 22370->22369 22371 10004baa LdrInitializeThunk 22370->22371 22371->22363 22372->22366 22374 1001a1af 22373->22374 22382 1001a209 22373->22382 22376 1000188f 17 API calls 22374->22376 22375 10004b1b LdrInitializeThunk 22377 1001a22b 22375->22377 22378 1001a1c0 22376->22378 22377->22350 22383 100031b3 6 API calls 22378->22383 22380 1001a1ef InterlockedExchange 22380->22382 22381 1001a1dc 22381->22380 22382->22375 22383->22381 22385 10007dce 22384->22385 22386 10007e28 22384->22386 22387 1000188f 17 API calls 22385->22387 22388 10004b1b LdrInitializeThunk 22386->22388 22389 10007ddf 22387->22389 22390 10007e4a 22388->22390 22394 100031b3 6 API calls 22389->22394 22390->22356 22390->22357 22392 10007dfb 22393 10007e0e InterlockedExchange 22392->22393 22393->22386 22394->22392 22696 10027050 63 API calls 22749 10011753 DispatchMessageA CallWindowProcA 22395 51be07 22398 51be19 22395->22398 22399 51be16 22398->22399 22401 51be20 22398->22401 22401->22399 22402 51be45 22401->22402 22403 51be72 22402->22403 22405 51beb5 22402->22405 22409 51bea0 22403->22409 22420 522c44 29 API calls 22403->22420 22405->22409 22410 51bed7 22405->22410 22406 51be88 22421 5241f1 HeapReAlloc HeapAlloc VirtualAlloc HeapFree VirtualAlloc 22406->22421 22407 51bf24 RtlAllocateHeap 22408 51bea7 22407->22408 22408->22401 22409->22407 22409->22408 22423 522c44 29 API calls 22410->22423 22413 51be93 22422 51beac LeaveCriticalSection 22413->22422 22414 51bede 22424 524c94 6 API calls 22414->22424 22417 51bef1 22425 51bf0b LeaveCriticalSection 22417->22425 22419 51befe 22419->22408 22419->22409 22420->22406 22421->22413 22422->22409 22423->22414 22424->22417 22425->22419 22426 51a509 GetVersion 22458 520588 HeapCreate 22426->22458 22428 51a567 22429 51a574 22428->22429 22430 51a56c 22428->22430 22470 520345 37 API calls 22429->22470 22478 51a636 8 API calls 22430->22478 22434 51a579 22435 51a585 22434->22435 22436 51a57d 22434->22436 22471 520189 34 API calls 22435->22471 22479 51a636 8 API calls 22436->22479 22440 51a58f GetCommandLineA 22472 520057 37 API calls 22440->22472 22442 51a59f 22480 51fe0a 49 API calls 22442->22480 22444 51a5a9 22473 51fd51 48 API calls 22444->22473 22446 51a5ae 22447 51a5b3 GetStartupInfoA 22446->22447 22474 51fcf9 48 API calls 22447->22474 22449 51a5c5 22450 51a5ce 22449->22450 22451 51a5d7 GetModuleHandleA 22450->22451 22475 529e6e 22451->22475 22455 51a5f2 22482 51fb81 36 API calls 22455->22482 22457 51a603 22459 5205a8 22458->22459 22460 5205de 22458->22460 22483 520440 57 API calls 22459->22483 22460->22428 22462 5205ad 22463 5205b7 22462->22463 22464 5205c4 22462->22464 22484 523e55 HeapAlloc 22463->22484 22466 5205e1 22464->22466 22485 52499c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 22464->22485 22466->22428 22467 5205c1 22467->22466 22469 5205d2 HeapDestroy 22467->22469 22469->22460 22470->22434 22471->22440 22472->22442 22473->22446 22474->22449 22486 532594 22475->22486 22480->22444 22481 51ecb4 32 API calls 22481->22455 22482->22457 22483->22462 22484->22467 22485->22467 22497 5312f2 22486->22497 22494 51a5e9 22494->22481 22495 5325db 22525 537540 68 API calls 22495->22525 22526 535eee 22497->22526 22500 531303 22502 535ec8 22500->22502 22501 535ec8 65 API calls 22501->22500 22503 536450 65 API calls 22502->22503 22504 535ed7 22503->22504 22505 5325a6 22504->22505 22555 5364e5 22504->22555 22507 536d19 SetErrorMode SetErrorMode 22505->22507 22508 535ec8 65 API calls 22507->22508 22509 536d30 22508->22509 22510 535ec8 65 API calls 22509->22510 22511 536d3f 22510->22511 22512 536d65 22511->22512 22563 536d7c 22511->22563 22514 535ec8 65 API calls 22512->22514 22515 536d6a 22514->22515 22516 5325be 22515->22516 22582 531307 22515->22582 22516->22495 22518 52c421 22516->22518 22521 52c436 22518->22521 22522 52c42d 22518->22522 22519 52c43e 22606 51a38d 22519->22606 22521->22519 22523 52c47d 22521->22523 22522->22495 22613 52c2f5 29 API calls 22523->22613 22525->22494 22527 535ec8 65 API calls 22526->22527 22528 535ef3 22527->22528 22531 536450 22528->22531 22532 536486 TlsGetValue 22531->22532 22533 536459 22531->22533 22535 536499 22532->22535 22534 536473 22533->22534 22552 536050 65 API calls 22533->22552 22542 5360e9 EnterCriticalSection 22534->22542 22537 5312f7 22535->22537 22538 5364ac 22535->22538 22537->22500 22537->22501 22553 536258 65 API calls 22538->22553 22540 536484 22540->22532 22543 536108 22542->22543 22544 536142 GlobalAlloc 22543->22544 22545 536155 GlobalHandle GlobalUnlock GlobalReAlloc 22543->22545 22551 5361c4 22543->22551 22547 536177 22544->22547 22545->22547 22546 5361d9 LeaveCriticalSection 22546->22540 22548 5361a0 GlobalLock 22547->22548 22549 536185 GlobalHandle GlobalLock LeaveCriticalSection 22547->22549 22548->22551 22554 52a604 65 API calls __EH_prolog 22549->22554 22551->22546 22552->22534 22553->22537 22554->22548 22556 5364ef __EH_prolog 22555->22556 22557 53651d 22556->22557 22561 537195 6 API calls 22556->22561 22557->22505 22559 536506 22562 537205 LeaveCriticalSection 22559->22562 22561->22559 22562->22557 22564 535ec8 65 API calls 22563->22564 22565 536d8f GetModuleFileNameA 22564->22565 22593 51c4d7 29 API calls 22565->22593 22567 536dc1 22594 536e99 lstrlenA lstrcpynA 22567->22594 22569 536ddd 22570 536df3 22569->22570 22599 51ec5c 29 API calls 22569->22599 22581 536e2d 22570->22581 22595 531e7a 22570->22595 22573 536e60 22575 536e8d 22573->22575 22576 536e6f lstrcatA 22573->22576 22574 536e45 lstrcpyA 22601 51ec5c 29 API calls 22574->22601 22575->22512 22602 51ec5c 29 API calls 22576->22602 22581->22573 22581->22574 22583 535ec8 65 API calls 22582->22583 22584 53130c 22583->22584 22592 531364 22584->22592 22603 535c96 22584->22603 22587 5364e5 7 API calls 22588 531342 22587->22588 22589 535ec8 65 API calls 22588->22589 22591 53134f 22588->22591 22589->22591 22590 536450 65 API calls 22590->22592 22591->22590 22592->22516 22593->22567 22594->22569 22596 535ec8 65 API calls 22595->22596 22597 531e80 LoadStringA 22596->22597 22598 531e9b 22597->22598 22600 51ec5c 29 API calls 22598->22600 22599->22570 22600->22581 22601->22573 22602->22575 22604 536450 65 API calls 22603->22604 22605 531318 GetCurrentThreadId SetWindowsHookExA 22604->22605 22605->22587 22614 51dd74 22606->22614 22608 51a397 EnterCriticalSection 22609 51a3b5 22608->22609 22610 51a3e6 LeaveCriticalSection 22608->22610 22615 52bdde 29 API calls 22609->22615 22610->22522 22612 51a3c7 22612->22610 22613->22522 22614->22608 22615->22612 22700 1002706f 46 API calls 22758 10026d73 89 API calls 22759 10026b71 23 API calls 22761 1002572d 24 API calls 22702 10026c7b HeapAlloc 22763 10026f7c 45 API calls 22705 1002708e 34 API calls 22767 10027192 60 API calls 22707 51ecc5 32 API calls 22770 5357c6 65 API calls __EH_prolog 22771 10026f9b 23 API calls 22709 10026e99 90 API calls 22712 100274b1 10 API calls 22714 1002a472 __CxxFrameHandler 22715 10026eb8 91 API calls 22716 10026cb9 23 API calls 22719 1001a595 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22778 10026dc5 31 API calls 22781 10026bd6 25 API calls 22722 100270d8 28 API calls 22723 10026cd8 22 API calls 22784 10026de4 85 API calls 21986 52c4a3 21987 52c4ab 21986->21987 21988 52c4b7 21986->21988 21997 51a41c EnterCriticalSection LeaveCriticalSection 21987->21997 21988->21987 21990 52c4e4 21988->21990 21994 52c31e 21990->21994 21991 52c4b6 21998 51bd1e 21994->21998 21997->21991 21999 51bdf8 21998->21999 22000 51bd4c 21998->22000 22001 51bd91 22000->22001 22002 51bd56 22000->22002 22014 51bd82 22001->22014 22018 522c44 29 API calls 22001->22018 22015 522c44 29 API calls 22002->22015 22004 51bdea RtlFreeHeap 22004->21999 22006 51bd5d 22007 51bd77 22006->22007 22016 523ec8 VirtualFree VirtualFree HeapFree 22006->22016 22017 51bd88 LeaveCriticalSection 22007->22017 22010 51bd9d 22011 51bdc9 22010->22011 22019 524c4f VirtualFree HeapFree VirtualFree 22010->22019 22020 51bde0 LeaveCriticalSection 22011->22020 22014->21999 22014->22004 22015->22006 22016->22007 22017->22014 22018->22010 22019->22011 22020->22014 22788 100291f3 ??3@YAXPAX GetProcessHeap HeapFree 22789 100293f0 ??3@YAXPAX 22729 10026ef6 76 API calls 22730 10026cf7 43 API calls

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 870 4ac9a0-4ac9c5 871 4ac9cb-4ac9d6 870->871 872 4aca63-4aca72 870->872 873 4ac9d8-4ac9e2 871->873 874 4ac9e5-4ac9e8 871->874 875 4aca78-4aca88 872->875 876 4acd1f-4acd30 872->876 873->874 877 4ac9ea-4ac9fb call 51b198 874->877 878 4ac9fd 874->878 879 4aca8a-4aca94 call 51b198 875->879 880 4aca99-4acab6 call 49a080 875->880 881 4ac9ff-4aca11 GetProcAddress 877->881 878->881 879->880 891 4acbcf 880->891 892 4acabc-4acacf call 51c1b0 880->892 887 4aca13-4aca41 call 4b6120 call 4acd70 call 52c5b4 881->887 888 4aca46-4aca60 call 4ac980 881->888 887->888 894 4acbd4-4acbe2 LoadLibraryA 891->894 905 4acb9a-4acba1 LoadLibraryA 892->905 906 4acad5-4acae6 892->906 898 4acc1f-4acc28 894->898 899 4acbe4-4acbf2 GetProcAddress 894->899 898->894 907 4acc2a-4acc35 898->907 902 4acc0a-4acc14 899->902 903 4acbf4-4acbff 899->903 902->907 909 4acc16-4acc1d FreeLibrary 902->909 903->902 908 4acc01-4acc07 903->908 905->907 915 4acba7-4acbb5 GetProcAddress 905->915 911 4acae8-4acb06 call 52c7fd LoadLibraryA call 52c5b4 906->911 912 4acb10-4acb5d call 52c7fd * 2 LoadLibraryA call 52c5b4 * 2 906->912 913 4acc3b-4acc3d 907->913 914 4accfc-4accfe 907->914 908->902 909->898 911->915 938 4acb0c 911->938 912->915 949 4acb5f-4acb70 912->949 918 4acc3f-4acc40 FreeLibrary 913->918 919 4acc46-4acc55 call 49a080 913->919 921 4acd00-4acd0b 914->921 922 4acd16-4acd1c 914->922 915->907 916 4acbb7-4acbc2 915->916 916->907 925 4acbc4-4acbcd 916->925 918->919 931 4accaa-4accf9 call 4b6120 call 4acd70 call 52c5b4 919->931 932 4acc57-4acca7 call 4b6120 call 4acd70 call 52c5b4 919->932 921->922 924 4acd0d-4acd13 921->924 922->876 924->922 925->907 938->912 952 4acb92-4acb94 949->952 953 4acb72-4acb8d call 52c7fd LoadLibraryA call 52c5b4 949->953 952->915 956 4acb96 952->956 953->952 956->905
                                                          APIs
                                                          • GetProcAddress.KERNEL32(00000000,007A69F4), ref: 004ACA07
                                                          • LoadLibraryA.KERNEL32(?,?,007B70F8), ref: 004ACAF7
                                                          • LoadLibraryA.KERNEL32(?,?), ref: 004ACB3D
                                                          • LoadLibraryA.KERNEL32(?,?,007B7000,?), ref: 004ACB85
                                                          • LoadLibraryA.KERNEL32(?), ref: 004ACB9B
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004ACBAD
                                                          • FreeLibrary.KERNEL32(00000000), ref: 004ACC40
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressProc$Free
                                                          • String ID: |jy
                                                          • API String ID: 3120990465-341901971
                                                          • Opcode ID: 6f95c1f9482eac082939388fda0387d2ad5137546a531cf021fda0b8d432bbad
                                                          • Instruction ID: 1d2c88cccca8aee7a8f7e17d5630b8e1bd214987ddca0258d103f64d46bb2e07
                                                          • Opcode Fuzzy Hash: 6f95c1f9482eac082939388fda0387d2ad5137546a531cf021fda0b8d432bbad
                                                          • Instruction Fuzzy Hash: 56A1D4B1600702ABD710DF64D8C1BABB7A8FFA6714F044A2EF85597341D738E905CBA6

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 989 10027bb0-10027bb7 990 10027bc4-10027bd7 RtlAllocateHeap 989->990 991 10027bb9-10027bbf GetProcessHeap 989->991 992 10027bf5-10027bf8 990->992 993 10027bd9-10027bf2 MessageBoxA call 10027b10 990->993 991->990 993->992
                                                          APIs
                                                          • GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                          • RtlAllocateHeap.NTDLL(00B70000,00000008,?,?,10028674), ref: 10027BCD
                                                          • MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocateMessageProcess
                                                          • String ID: error
                                                          • API String ID: 2992861138-1574812785
                                                          • Opcode ID: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                          • Instruction ID: 89e5899bf0a8eaacd33e9d23978464e8beef4f738102cb453b69e42e0a268b90
                                                          • Opcode Fuzzy Hash: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                          • Instruction Fuzzy Hash: 4DE0DF71A01A31ABE322EB64BC88F4B7698EF05B41F910526F608E2240EF20AC019791

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1001 100193c2-10019472 call 1002748d * 3 call 100294c0 1010 10019474-1001947a call 10027487 1001->1010 1011 1001947d-1001949e CopyFileA 1001->1011 1010->1011 1013 100194a0-100194b4 call 10027499 1011->1013 1014 100194b7-100194c3 1011->1014 1013->1014 1017 100194c5 1014->1017 1018 100194ca-100194e9 call 10028d40 1014->1018 1017->1018 1022 100194f4-10019504 1018->1022 1023 100194eb-100194f1 call 10027487 1018->1023 1025 10019506 1022->1025 1026 1001950b-10019525 call 10028000 1022->1026 1023->1022 1025->1026 1030 1001952b-10019539 1026->1030 1031 1001956e-10019586 call 1000241a 1026->1031 1033 10019540-1001955f call 10028d40 1030->1033 1034 1001953b 1030->1034 1037 10019588 1031->1037 1038 1001958d-100195b5 call 10028e50 call 10006495 1031->1038 1041 10019561-10019567 call 10027487 1033->1041 1042 1001956a-1001956b 1033->1042 1034->1033 1037->1038 1048 100195d6 1038->1048 1049 100195bb-100195c9 1038->1049 1041->1042 1042->1031 1051 100195db-100195dd 1048->1051 1049->1048 1050 100195cf-100195d4 1049->1050 1050->1051 1052 100195e3-1001960c RtlAllocateHeap 1051->1052 1053 10019832-10019840 1051->1053 1054 10019625-10019688 call 10007b67 call 1002748d call 10008edd call 10027487 1052->1054 1055 1001960e-10019622 call 10027499 1052->1055 1059 10019842-10019848 call 10027487 1053->1059 1060 1001984b-10019850 1053->1060 1087 10019689-10019691 1054->1087 1055->1054 1059->1060 1064 10019852-10019858 call 10027487 1060->1064 1065 1001985b-10019882 call 10027487 * 2 1060->1065 1064->1065 1077 10019895 1065->1077 1078 10019884 1065->1078 1081 1001989b-100198bb call 10027487 * 2 1077->1081 1082 100198bd-100198c9 call 10027487 1077->1082 1080 10019886-1001988a 1078->1080 1084 10019891-10019893 1080->1084 1085 1001988c-1001988f 1080->1085 1081->1082 1084->1077 1085->1080 1090 10019822-1001982d call 100094fb 1087->1090 1091 10019697-100196a5 call 10001000 1087->1091 1090->1053 1098 100196a7-100196bb call 10027499 1091->1098 1099 100196be-100196c2 1091->1099 1098->1099 1101 100196c4-100196d8 call 10027499 1099->1101 1102 100196db-10019736 call 10001b27 call 10001000 1099->1102 1101->1102 1110 10019738-1001974c call 10027499 1102->1110 1111 1001974f-10019753 1102->1111 1110->1111 1112 10019755-10019769 call 10027499 1111->1112 1113 1001976c-100197c7 call 10001b27 call 10001000 1111->1113 1112->1113 1122 100197e0-100197e4 1113->1122 1123 100197c9-100197dd call 10027499 1113->1123 1125 100197e6-100197fa call 10027499 1122->1125 1126 100197fd-1001981d call 10007b67 1122->1126 1123->1122 1125->1126 1126->1087
                                                          APIs
                                                            • Part of subcall function 100294C0: GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                            • Part of subcall function 100294C0: GetTickCount.KERNEL32 ref: 10029543
                                                            • Part of subcall function 100294C0: wsprintfA.USER32 ref: 10029558
                                                            • Part of subcall function 100294C0: PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                          • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 10019491
                                                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000000,00000001,?,?,?,00000000), ref: 100195FF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: FilePath$AllocateCopyCountExistsHeapTempTickwsprintf
                                                          • String ID: @
                                                          • API String ID: 183890193-2766056989
                                                          • Opcode ID: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                                                          • Instruction ID: 886d6a9a19e72094fdb0421fea6300c5803c3cbfa718e8e798f15b8255d4c358
                                                          • Opcode Fuzzy Hash: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                                                          • Instruction Fuzzy Hash: 26D142B5E40209ABEB01DFD4DCC2F9EB7B4FF18704F540065F604BA282E776A9548B66

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1147 1000710e-10007271 call 1002748d * 5 GetVersionExA 1158 10007273-10007287 call 10027499 1147->1158 1159 1000728a-100072e2 call 10027ca0 1147->1159 1158->1159 1164 100072f3-100072f9 1159->1164 1165 100072e4 1159->1165 1166 10007300-1000734b call 10027487 1164->1166 1167 100072fb 1164->1167 1168 100072e6-100072ea 1165->1168 1173 10007351-100073f3 call 1002748d GetSystemInfo 1166->1173 1174 100077ad-100077b2 1166->1174 1167->1166 1169 100072f1 1168->1169 1170 100072ec-100072ef 1168->1170 1169->1164 1170->1168 1180 100073f5-10007409 call 10027499 1173->1180 1181 1000740c-100074c4 call 10027487 RtlGetNtVersionNumbers 1173->1181 1175 100077b7-100077f1 call 10027487 * 4 1174->1175 1180->1181 1188 100074c6-100074da call 10027499 1181->1188 1189 100074dd-10007520 1181->1189 1188->1189 1192 10007552-10007556 1189->1192 1193 10007526-1000752a 1189->1193 1199 10007630-10007634 1192->1199 1200 1000755c-10007560 1192->1200 1196 10007530-10007534 1193->1196 1197 1000754d 1193->1197 1203 10007546 1196->1203 1204 1000753a-10007541 1196->1204 1206 100077a5-100077a8 1197->1206 1201 1000778a-1000778e 1199->1201 1202 1000763a-1000763e 1199->1202 1207 10007591-10007595 1200->1207 1208 10007566-10007574 1200->1208 1201->1206 1213 10007794-10007798 1201->1213 1211 10007650-10007654 1202->1211 1212 10007644-1000764b 1202->1212 1203->1197 1204->1197 1206->1175 1209 100075c6-100075ca 1207->1209 1210 1000759b-100075a9 1207->1210 1214 10007584 1208->1214 1215 1000757a-1000757f 1208->1215 1220 100075d0-100075de 1209->1220 1221 100075fb-100075ff 1209->1221 1216 100075b9 1210->1216 1217 100075af-100075b4 1210->1217 1218 10007785 1211->1218 1219 1000765a-1000766f 1211->1219 1212->1218 1213->1206 1222 1000779e 1213->1222 1223 10007589-1000758c 1214->1223 1215->1223 1224 100075be-100075c1 1216->1224 1217->1224 1218->1206 1233 10007671-10007685 call 10027499 1219->1233 1234 10007688-1000768f 1219->1234 1225 100075e4-100075e9 1220->1225 1226 100075ee 1220->1226 1227 10007605-10007613 1221->1227 1228 1000762b 1221->1228 1222->1206 1223->1228 1224->1228 1230 100075f3-100075f6 1225->1230 1226->1230 1231 10007623 1227->1231 1232 10007619-1000761e 1227->1232 1228->1206 1230->1228 1235 10007628 1231->1235 1232->1235 1233->1234 1237 100076a1-100076a5 1234->1237 1238 10007695-1000769c 1234->1238 1235->1228 1240 100076c7 1237->1240 1241 100076ab-100076ba 1237->1241 1238->1218 1243 100076cc-100076ce 1240->1243 1241->1240 1242 100076c0-100076c5 1241->1242 1242->1243 1244 100076e0-1000771d call 10028950 1243->1244 1245 100076d4-100076db 1243->1245 1248 10007723-1000772a 1244->1248 1249 1000772f-1000776c call 10028950 1244->1249 1245->1218 1248->1218 1252 10007772-10007779 1249->1252 1253 1000777e 1249->1253 1252->1218 1253->1218
                                                          APIs
                                                          • GetVersionExA.KERNEL32(00000000,10006DE0), ref: 10007264
                                                          • GetSystemInfo.KERNEL32(00000000,?), ref: 100073E6
                                                          • RtlGetNtVersionNumbers.NTDLL(?,?,00000000), ref: 100074B7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Version$InfoNumbersSystem
                                                          • String ID:
                                                          • API String ID: 995872648-0
                                                          • Opcode ID: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                          • Instruction ID: 6910099e4755c4c9484fada616f008788a9246664730439cfdd765e490be93a4
                                                          • Opcode Fuzzy Hash: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                          • Instruction Fuzzy Hash: 001225B5E40246DBFB00CFA8DC81799B7F0FF19364F290065E909AB345E379A951CB62

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1390 10018ad3-10018b21 call 10018eea * 2 HeapCreate 1396 10018b23-10018b37 call 10027499 1390->1396 1397 10018b3a-10018b5e HeapCreate 1390->1397 1396->1397 1399 10018b60-10018b74 call 10027499 1397->1399 1400 10018b77-10018b8e call 10001000 1397->1400 1399->1400 1406 10018b90-10018ba4 call 10027499 1400->1406 1407 10018ba7-10018bc8 call 1000188f 1400->1407 1406->1407 1412 10018bd3-10018be4 call 1000b61e 1407->1412 1413 10018bca-10018bd0 call 10027487 1407->1413 1418 10018be6-10018bec call 10027487 1412->1418 1419 10018bef-10018c09 call 10001000 1412->1419 1413->1412 1418->1419 1424 10018c22-10018c43 call 1000188f 1419->1424 1425 10018c0b-10018c1f call 10027499 1419->1425 1430 10018c45-10018c4b call 10027487 1424->1430 1431 10018c4e-10018c5f call 1000b61e 1424->1431 1425->1424 1430->1431 1436 10018c61-10018c67 call 10027487 1431->1436 1437 10018c6a-10018c84 call 10001000 1431->1437 1436->1437 1442 10018c86-10018c9a call 10027499 1437->1442 1443 10018c9d-10018cbe call 1000188f 1437->1443 1442->1443 1448 10018cc0-10018cc6 call 10027487 1443->1448 1449 10018cc9-10018cda call 1000b61e 1443->1449 1448->1449 1454 10018ce5-10018cff call 10001000 1449->1454 1455 10018cdc-10018ce2 call 10027487 1449->1455 1460 10018d01-10018d15 call 10027499 1454->1460 1461 10018d18-10018d39 call 1000188f 1454->1461 1455->1454 1460->1461 1466 10018d44-10018d55 call 1000b61e 1461->1466 1467 10018d3b-10018d41 call 10027487 1461->1467 1472 10018d60-10018d7a call 10001000 1466->1472 1473 10018d57-10018d5d call 10027487 1466->1473 1467->1466 1478 10018d93-10018db4 call 1000188f 1472->1478 1479 10018d7c-10018d90 call 10027499 1472->1479 1473->1472 1484 10018db6-10018dbc call 10027487 1478->1484 1485 10018dbf-10018dd0 call 1000b61e 1478->1485 1479->1478 1484->1485 1490 10018dd2-10018dd8 call 10027487 1485->1490 1491 10018ddb-10018e4b call 10006453 call 1000710e call 10018f34 call 100191e3 call 10019edc call 1000ff10 call 100114f9 1485->1491 1490->1491 1508 10018e56-10018ea3 call 10019edc call 1000ff10 call 100114f9 1491->1508 1509 10018e4d-10018e53 call 10027487 1491->1509 1518 10018ea5-10018eab call 10027487 1508->1518 1519 10018eae-10018ec2 call 10019f4c 1508->1519 1509->1508 1518->1519 1523 10018ec7-10018ee9 call 1001a236 1519->1523
                                                          APIs
                                                            • Part of subcall function 10018EEA: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                          • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 10018B14
                                                          • HeapCreate.KERNEL32(00040000,00000000,00000000), ref: 10018B51
                                                            • Part of subcall function 1000FF10: RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Create$Heap$ComputeCrc32Mutex
                                                          • String ID:
                                                          • API String ID: 3311811139-0
                                                          • Opcode ID: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                          • Instruction ID: 66fc46a93c8d8d126791b072413d70454ec7258938680aadaad6e332e46fbde2
                                                          • Opcode Fuzzy Hash: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                          • Instruction Fuzzy Hash: B8B10CB5E00309ABEB10EFE4DCC2B9E77B8FB14340F504465E618EB246E775AB448B52
                                                          APIs
                                                          • LdrInitializeThunk.NTDLL(-0000007F), ref: 10004BAD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                          • Instruction ID: 7f13cb2829284cec5adb7bd0b88e9c5a5f53f04c1fb2448feb0c9f08ba257be5
                                                          • Opcode Fuzzy Hash: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                          • Instruction Fuzzy Hash: 0111C4B1600645DBFB20DF18C894B5973A5EB413D9F128336E806CB2E8CB78DD85C789
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                          • Instruction ID: f7734d6dfd281f4cec539f69a8a4743609fe5589cfe20e3980177d77de103c32
                                                          • Opcode Fuzzy Hash: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                          • Instruction Fuzzy Hash: 92112EB5D40308BBEB50DFE0DC86B9DBBB8EF05340F108069E6447A281D7B66B588B91
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D511,00000000), ref: 1001A1FA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                          • Instruction ID: 8b03ad6f155dc1ffa3c952e4c0ec4cfc85cd69f7d418c3f1b48ca094e25b3ce2
                                                          • Opcode Fuzzy Hash: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                          • Instruction Fuzzy Hash: EF012975D04319A7DB00EFD49C82F9E77B9EB05340F404066E50466151D775DB949B92
                                                          APIs
                                                          • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID:
                                                          • API String ID: 1964310414-0
                                                          • Opcode ID: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                          • Instruction ID: b5123a5caac3b4bfff5d25017b882f5dc189a7960400f6af0356bf2a3b5a090f
                                                          • Opcode Fuzzy Hash: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                          • Instruction Fuzzy Hash: 49E01270E95308F7E120AA505D03B29B635D70AB11F609055BE083E1C1D5B19A156696
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 003ae4ac8cee7970459931c614c2645524286e49bc21a157b31e5da3a2b23d0d
                                                          • Instruction ID: b58e3f16e9d3c7f6b23141f341914c848cdac71931e12e92191cde0cda9b2742
                                                          • Opcode Fuzzy Hash: 003ae4ac8cee7970459931c614c2645524286e49bc21a157b31e5da3a2b23d0d
                                                          • Instruction Fuzzy Hash: D6312970800A0DEBCF01DF95E5C4AAEBB70FF49304F5180E5E9A46E259CB359A34DB26

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 959 5360e9-536106 EnterCriticalSection 960 536115-53611a 959->960 961 536108-53610f 959->961 963 536137-536140 960->963 964 53611c-53611f 960->964 961->960 962 5361ce-5361d1 961->962 967 5361d3-5361d6 962->967 968 5361d9-5361fa LeaveCriticalSection 962->968 965 536142-536153 GlobalAlloc 963->965 966 536155-536171 GlobalHandle GlobalUnlock GlobalReAlloc 963->966 969 536122-536125 964->969 970 536177-536183 965->970 966->970 967->968 971 536127-53612d 969->971 972 53612f-536131 969->972 973 5361a0-5361cd GlobalLock call 51de30 970->973 974 536185-53619b GlobalHandle GlobalLock LeaveCriticalSection call 52a604 970->974 971->969 971->972 972->962 972->963 973->962 974->973
                                                          APIs
                                                          • EnterCriticalSection.KERNEL32(007E5BD8,007E5BAC,00000000,?,007E5BBC,007E5BBC,00536484,?,00000000,00535ED7,005357C6,00535EF3,005312F7,0053259F,?,00000000), ref: 005360F8
                                                          • GlobalAlloc.KERNEL32(00002002,00000000,?,?,007E5BBC,007E5BBC,00536484,?,00000000,00535ED7,005357C6,00535EF3,005312F7,0053259F,?,00000000), ref: 0053614D
                                                          • GlobalHandle.KERNEL32(00B84C80), ref: 00536156
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0053615F
                                                          • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00536171
                                                          • GlobalHandle.KERNEL32(00B84C80), ref: 00536188
                                                          • GlobalLock.KERNEL32(00000000), ref: 0053618F
                                                          • LeaveCriticalSection.KERNEL32(0051A5E9,?,?,007E5BBC,007E5BBC,00536484,?,00000000,00535ED7,005357C6,00535EF3,005312F7,0053259F,?,00000000), ref: 00536195
                                                          • GlobalLock.KERNEL32(00000000), ref: 005361A4
                                                          • LeaveCriticalSection.KERNEL32(?), ref: 005361ED
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                          • String ID:
                                                          • API String ID: 2667261700-0
                                                          • Opcode ID: 63fad3f132bf26efb72d39567dfa04d14275eabd59b3a2e8270ee58155730058
                                                          • Instruction ID: 347bbc5d1d00f307b344a4d397c14b55e086e051f2efb2fc59e45e0dc7cbca3b
                                                          • Opcode Fuzzy Hash: 63fad3f132bf26efb72d39567dfa04d14275eabd59b3a2e8270ee58155730058
                                                          • Instruction Fuzzy Hash: 6E315275600705AFD7249F28EC89A6ABBF9FB44301F004A2DF852C3761E771E848CB21

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 978 100294c0-100294cf 979 100294d1-100294e3 GetTempPathA 978->979 980 100294eb-10029511 978->980 981 10029513-1002952c 979->981 982 100294e5-100294e9 979->982 980->981 983 10029531-1002953d 981->983 984 1002952e 981->984 982->981 985 10029543-10029569 GetTickCount wsprintfA PathFileExistsA 983->985 984->983 985->985 986 1002956b-100295b3 call 10027bb0 985->986
                                                          APIs
                                                          • GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                          • GetTickCount.KERNEL32 ref: 10029543
                                                          • wsprintfA.USER32 ref: 10029558
                                                          • PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Path$CountExistsFileTempTickwsprintf
                                                          • String ID: %s%x.tmp
                                                          • API String ID: 3843276195-78920241
                                                          • Opcode ID: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                          • Instruction ID: 19c0f5fbbc49b21063d5a4c1e69b6cb6cd736cc94922c53957f775166a9e82b6
                                                          • Opcode Fuzzy Hash: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                          • Instruction Fuzzy Hash: 9521F6352046144FE329D638AC526EB77D5FBC4360F948A2DF9AA831C0DF74DD058791

                                                          Control-flow Graph

                                                          APIs
                                                          • CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000,00000000,100149DF,00000001,00000000,00000000,80000004,00000000,00000000,00000000), ref: 10028D55
                                                          • GetFileSize.KERNEL32(00000000,?,1002C201,00000268,?,00000000,00000000,00000000,00000000), ref: 10028D6C
                                                            • Part of subcall function 10027BB0: GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                            • Part of subcall function 10027BB0: RtlAllocateHeap.NTDLL(00B70000,00000008,?,?,10028674), ref: 10027BCD
                                                            • Part of subcall function 10027BB0: MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                          • ReadFile.KERNEL32(00000000,00000008,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D98
                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D9F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: File$Heap$AllocateCloseCreateHandleMessageProcessReadSize
                                                          • String ID:
                                                          • API String ID: 749537981-0
                                                          • Opcode ID: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                          • Instruction ID: 3e7a6e3e6917c5c906f0044d82f650070526e8034b550c75b50b94cd4b2286ca
                                                          • Opcode Fuzzy Hash: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                          • Instruction Fuzzy Hash: 31F044762003107BE3218B64DCC9F9B77ACEB84B51F204A1DF616961D0E670A5458761

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1132 531307-531310 call 535ec8 1135 531312-53133d call 535c96 GetCurrentThreadId SetWindowsHookExA call 5364e5 1132->1135 1136 531365 1132->1136 1140 531342-531348 1135->1140 1141 531355-531364 call 536450 1140->1141 1142 53134a-53134f call 535ec8 1140->1142 1141->1136 1142->1141
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 0053131A
                                                          • SetWindowsHookExA.USER32(000000FF,VcH,00000000,00000000), ref: 0053132A
                                                            • Part of subcall function 005364E5: __EH_prolog.LIBCMT ref: 005364EA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: CurrentH_prologHookThreadWindows
                                                          • String ID: VcH
                                                          • API String ID: 2183259885-2144458766
                                                          • Opcode ID: 8aae62ee84ae179377d0abafc976a012674a01b410eb710897fc1d67874647eb
                                                          • Instruction ID: bce208444a6aa87078a57790f8daeb9b1bda2a6ae2f36557e3323b534caf623b
                                                          • Opcode Fuzzy Hash: 8aae62ee84ae179377d0abafc976a012674a01b410eb710897fc1d67874647eb
                                                          • Instruction Fuzzy Hash: CAF0E532900F016BCB203BB0AD1EB097FA47F40710F051B68F212575E2DF64C8808765

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1528 536d19-536d44 SetErrorMode * 2 call 535ec8 * 2 1533 536d46-536d60 call 536d7c 1528->1533 1534 536d65-536d6f call 535ec8 1528->1534 1533->1534 1538 536d71 call 531307 1534->1538 1539 536d76-536d79 1534->1539 1538->1539
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000000,00000000,005325BE,00000000,00000000,00000000,00000000,?,00000000,?,00529E83,00000000,00000000,00000000,00000000,0051A5E9), ref: 00536D22
                                                          • SetErrorMode.KERNEL32(00000000,?,00000000,?,00529E83,00000000,00000000,00000000,00000000,0051A5E9,00000000), ref: 00536D29
                                                            • Part of subcall function 00536D7C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00536DAD
                                                            • Part of subcall function 00536D7C: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00536E4E
                                                            • Part of subcall function 00536D7C: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00536E7B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
                                                          • String ID:
                                                          • API String ID: 3389432936-0
                                                          • Opcode ID: c73409721a44e57969a6835f5f802bed7234ba3fc26b2bb4236e66c714ea1e57
                                                          • Instruction ID: 4d1aef74c7533c18408f735019182540ae7a307c86e4fd40ae025b508c4cea63
                                                          • Opcode Fuzzy Hash: c73409721a44e57969a6835f5f802bed7234ba3fc26b2bb4236e66c714ea1e57
                                                          • Instruction Fuzzy Hash: 35F04971A087119FC714EF24E548A097FE8BF89710F05888EF4849B3A2CB70D840CBA6

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1541 520588-5205a6 HeapCreate 1542 5205a8-5205b5 call 520440 1541->1542 1543 5205de-5205e0 1541->1543 1546 5205b7-5205c2 call 523e55 1542->1546 1547 5205c4-5205c7 1542->1547 1553 5205ce-5205d0 1546->1553 1549 5205e1-5205e4 1547->1549 1550 5205c9 call 52499c 1547->1550 1550->1553 1553->1549 1554 5205d2-5205d8 HeapDestroy 1553->1554 1554->1543
                                                          APIs
                                                          • HeapCreate.KERNEL32(00000000,00001000,00000000,0051A567,00000001), ref: 00520599
                                                            • Part of subcall function 00520440: GetVersionExA.KERNEL32 ref: 0052045F
                                                          • HeapDestroy.KERNEL32 ref: 005205D8
                                                            • Part of subcall function 00523E55: HeapAlloc.KERNEL32(00000000,00000140,005205C1,000003F8), ref: 00523E62
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocCreateDestroyVersion
                                                          • String ID:
                                                          • API String ID: 2507506473-0
                                                          • Opcode ID: e3a4ee521f2d95d3bf5267faf50a30caf94bd07778a2120cc1afa8551983c647
                                                          • Instruction ID: e8980e38a093253928149522eb75aeb7064ecea7acb4cebf6a0d4e130692f847
                                                          • Opcode Fuzzy Hash: e3a4ee521f2d95d3bf5267faf50a30caf94bd07778a2120cc1afa8551983c647
                                                          • Instruction Fuzzy Hash: 06F06573703311ABDF2067307C8576A2DA4BF85751F105825F600CC1E6EAF489C09912

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1555 10027c40-10027c4b 1556 10027c86-10027c87 1555->1556 1557 10027c4d-10027c54 1555->1557 1558 10027c56 call 10027ae0 1557->1558 1559 10027c5b-10027c61 1557->1559 1558->1559 1561 10027c63-10027c69 1559->1561 1562 10027c6b-10027c76 IsBadReadPtr 1559->1562 1561->1556 1561->1562 1562->1556 1563 10027c78-10027c80 RtlFreeHeap 1562->1563 1563->1556
                                                          APIs
                                                          • IsBadReadPtr.KERNEL32(00000000,00000008), ref: 10027C6E
                                                          • RtlFreeHeap.NTDLL(00B70000,00000000,00000000), ref: 10027C80
                                                            • Part of subcall function 10027AE0: GetModuleHandleA.KERNEL32(10000000,10027CB6,?,?,00000000,10013438,00000004,1002D4C1,00000000,00000000,?,00000014,00000000,00000000), ref: 10027AEA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: FreeHandleHeapModuleRead
                                                          • String ID:
                                                          • API String ID: 627478288-0
                                                          • Opcode ID: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                          • Instruction ID: 59851536013e0aac3578df5bad16e171669d5e3b00cd7f1de4e20f90094f5fd3
                                                          • Opcode Fuzzy Hash: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                          • Instruction Fuzzy Hash: 46E0ED71A0153297EB21FB34ADC4A4B769CFB417C0BB1402AF548B3151D330AC818BA2
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0051BF2C
                                                            • Part of subcall function 00522C44: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0051CD5C,00000009,00000000,00000000,00000001,005203D1,00000001,00000074,?,?,00000000,00000001), ref: 00522C81
                                                            • Part of subcall function 00522C44: EnterCriticalSection.KERNEL32(?,?,?,0051CD5C,00000009,00000000,00000000,00000001,005203D1,00000001,00000074,?,?,00000000,00000001), ref: 00522C9C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$AllocateEnterHeapInitialize
                                                          • String ID:
                                                          • API String ID: 1616793339-0
                                                          • Opcode ID: e2c2b54aa759b9868e38ff2f34d0d0acbff52b91b592fe6287b86da8da159c96
                                                          • Instruction ID: 2469fe6da8ad6d897e4c2a2ed4c483602ad85d76cdec38186e667ed35994c6d2
                                                          • Opcode Fuzzy Hash: e2c2b54aa759b9868e38ff2f34d0d0acbff52b91b592fe6287b86da8da159c96
                                                          • Instruction Fuzzy Hash: 46219572A44215ABFB10EB64DC46BDEBBB8FB01720F144615F520EB2D1D7B49982CE64
                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,0051CD5C,00000009,00000000,00000000,00000001,005203D1,00000001,00000074), ref: 0051BDF2
                                                            • Part of subcall function 00522C44: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0051CD5C,00000009,00000000,00000000,00000001,005203D1,00000001,00000074,?,?,00000000,00000001), ref: 00522C81
                                                            • Part of subcall function 00522C44: EnterCriticalSection.KERNEL32(?,?,?,0051CD5C,00000009,00000000,00000000,00000001,005203D1,00000001,00000074,?,?,00000000,00000001), ref: 00522C9C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapInitialize
                                                          • String ID:
                                                          • API String ID: 641406236-0
                                                          • Opcode ID: fc764ebcf2e976a8501e049811f8c882f7744aa84a1fdf0998e8888dbf5bd4c8
                                                          • Instruction ID: 7dc30e0a1e43f4cba01143122fe91c85574d7739e0736b99b7f473da2b2162a1
                                                          • Opcode Fuzzy Hash: fc764ebcf2e976a8501e049811f8c882f7744aa84a1fdf0998e8888dbf5bd4c8
                                                          • Instruction Fuzzy Hash: F421D47280121ABBFF18ABA4EC0ABDE7F78FF05320F240519F411B61D0D7798980CAA5
                                                          APIs
                                                          • LoadStringA.USER32(?,?,?,?), ref: 00531E91
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: LoadString
                                                          • String ID:
                                                          • API String ID: 2948472770-0
                                                          • Opcode ID: c89291d6955452d5a05a4e72691d0c11e09c4a35ae7827027905426d0ce0a730
                                                          • Instruction ID: 7ce1aeec4d0f03ad16cab6d4a7c5de9fc50f9ced079080901bfb6d75aafec9bb
                                                          • Opcode Fuzzy Hash: c89291d6955452d5a05a4e72691d0c11e09c4a35ae7827027905426d0ce0a730
                                                          • Instruction Fuzzy Hash: 18D05E720083629BCB019F619808C4BBFA8BF65211B054C49F88042211C320D4189661
                                                          APIs
                                                          • DeleteFileA.KERNEL32(00000000,10015A7E,00000001,10014425,00000000,80000004), ref: 10028E55
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: DeleteFile
                                                          • String ID:
                                                          • API String ID: 4033686569-0
                                                          • Opcode ID: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                          • Instruction ID: ffbd99c73049c44a809e906c9e813abd6042298cab9f2baa300a0a2bd65e465f
                                                          • Opcode Fuzzy Hash: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                          • Instruction Fuzzy Hash: 5EA00275904611EBDE11DBA4C9DC84B7BACAB84341B108844F155C2130C634D451CB21
                                                          APIs
                                                          • IsWindow.USER32(00000000), ref: 1001F57C
                                                          • IsIconic.USER32(00000000), ref: 1001F86F
                                                          • GetDCEx.USER32(00000000,00000000,00000020,?,?,?,?,-00000004), ref: 1001F8D4
                                                          • GetDCEx.USER32(00000000,00000000,00000020,?,?,?,?,-00000004), ref: 1001FE93
                                                          • GetWindowInfo.USER32(00000000,00000000), ref: 1001FFE2
                                                          • GetWindowRect.USER32(00000000,?), ref: 100201EB
                                                          • CreateCompatibleDC.GDI32(00000000), ref: 100205D5
                                                          • CreateDIBSection.GDI32(00000000,00000000,00000000,00000000), ref: 100206C0
                                                          • SelectObject.GDI32(00000000,00000000), ref: 10020798
                                                          • CreateCompatibleDC.GDI32(00000000), ref: 100207D7
                                                          • SelectObject.GDI32(00000000,00000000), ref: 1002086C
                                                          • PrintWindow.USER32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,-00000004), ref: 100208A9
                                                          • BitBlt.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00CC0020), ref: 1002091B
                                                          • SelectObject.GDI32(00000000,00000000), ref: 10020ADE
                                                          • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 10020CB4
                                                            • Part of subcall function 10028090: _CIfmod.MSVCRT(?,?,?,1000197A,00000002,?,?,80000601,00000000,40140000,80000601,00000000,00000000,00000001), ref: 100280A8
                                                            • Part of subcall function 10002461: HeapAlloc.KERNEL32(00000008,?,?,10026C94), ref: 1000247B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Window$CreateObjectSelect$Compatible$AllocBitsHeapIconicIfmodInfoPrintRectSection
                                                          • String ID:
                                                          • API String ID: 3140154463-0
                                                          • Opcode ID: 88eda80100b7a025ec30ab416d140f093013ab73758d7af4ff83b5959809b2a7
                                                          • Instruction ID: ea048d8ca86424f245eedfb131be0975fd1a5b6ab4dedd9bad29979357843bcf
                                                          • Opcode Fuzzy Hash: 88eda80100b7a025ec30ab416d140f093013ab73758d7af4ff83b5959809b2a7
                                                          • Instruction Fuzzy Hash: CB13F3B0A40329DBEF20CF54DCC1B99BBB1FF19314F5440A4E648AB241D775AAA4DF25
                                                          APIs
                                                          • PathFindFileNameA.SHLWAPI(00000000), ref: 100143A7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: FileFindNamePath
                                                          • String ID:
                                                          • API String ID: 1422272338-0
                                                          • Opcode ID: 0e6eff065a05a2f384f771e1e98f391994859e5652061184b7ca416d9ae97ae4
                                                          • Instruction ID: 6aa6a69dd7cd03d5bb48bed33b8f4d969fd18b6c87b19858859c797241170964
                                                          • Opcode Fuzzy Hash: 0e6eff065a05a2f384f771e1e98f391994859e5652061184b7ca416d9ae97ae4
                                                          • Instruction Fuzzy Hash: 6A8276B5E40309ABEB10DFD0DC82F9E77B4EF14741F550025F608BE291EBB2AA558B52
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D459,?), ref: 1000C917
                                                          • InterlockedExchange.KERNEL32(1002D45D,?), ref: 1000C9CE
                                                          • InterlockedExchange.KERNEL32(1002D461,?), ref: 1000CA85
                                                          • InterlockedExchange.KERNEL32(1002D465,?), ref: 1000CB3C
                                                          • InterlockedExchange.KERNEL32(1002D469,?), ref: 1000CBF3
                                                          • InterlockedExchange.KERNEL32(1002D455,?), ref: 1000CCAA
                                                            • Part of subcall function 10001D56: IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                                                          • GetWindowThreadProcessId.USER32(1000C613,00000000), ref: 1000CCFD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked$CodeProcessThreadWindow
                                                          • String ID:
                                                          • API String ID: 1323220708-0
                                                          • Opcode ID: a57e3a7ebe96e369419e08ba99744fb8776840faf4a81f30f508d6abc0fe4111
                                                          • Instruction ID: 2b64659c084c5c153bef61b4d063f84a8c6e811bd728d09e8d095ab07dd3c45c
                                                          • Opcode Fuzzy Hash: a57e3a7ebe96e369419e08ba99744fb8776840faf4a81f30f508d6abc0fe4111
                                                          • Instruction Fuzzy Hash: AF5308B5E00348ABEF11DFD4DC82FADBBB5EF08344F540029FA04BA296D7B669548B15
                                                          APIs
                                                          • GetWindowRect.USER32(00000001,00000001), ref: 1002140D
                                                          • GetDCEx.USER32(00000000,00000000,00000020,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 100218AD
                                                          • CreateCompatibleDC.GDI32(00000000), ref: 100218DC
                                                          • SelectObject.GDI32(00000000,00000000), ref: 1002195D
                                                          • PrintWindow.USER32(00000001,00000000,00000000), ref: 10021994
                                                          • GetObjectA.GDI32(00000000,00000018,00000000), ref: 10021A33
                                                          • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 10021CA1
                                                          • SelectObject.GDI32(00000000,00000000), ref: 100220CA
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 10022153
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Object$SelectWindow$BitsCompatibleCreatePrintRectRelease
                                                          • String ID:
                                                          • API String ID: 2343085801-0
                                                          • Opcode ID: 63133bb0db85fb87063aa834a4ef367d52919f1049c1e49f4a6d5bd8347d4e59
                                                          • Instruction ID: af8189180e66b16a91b6480abd6d1d91958fea63da9546105489bf86ff406ccc
                                                          • Opcode Fuzzy Hash: 63133bb0db85fb87063aa834a4ef367d52919f1049c1e49f4a6d5bd8347d4e59
                                                          • Instruction Fuzzy Hash: A7A2BCB4E40359ABEF10CF94DC81B9DBBB1FF09304F604064EA09AB295D3B56965CB26
                                                          APIs
                                                          • GetVersionExA.KERNEL32 ref: 0052045F
                                                          • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00520494
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 005204F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: EnvironmentFileModuleNameVariableVersion
                                                          • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                          • API String ID: 1385375860-4131005785
                                                          • Opcode ID: ba831ef9b5252bffba1e158d20c034c3838df217f69b823f21ca0fbb9c221d34
                                                          • Instruction ID: 4fb4ebec03278de782ffce972b394520f8dc4cd3d2a21a75db86f52bbd9114ea
                                                          • Opcode Fuzzy Hash: ba831ef9b5252bffba1e158d20c034c3838df217f69b823f21ca0fbb9c221d34
                                                          • Instruction Fuzzy Hash: 17311372A4326869EF31A6747C95AE97F68BF03304F1464D5E545C61C3E6218EC9CF11
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ?$\$\REGISTRY\MACHINE$\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT$\REGISTRY\USER$_Classes
                                                          • API String ID: 0-1655980394
                                                          • Opcode ID: e22ae917082b87936fa41f08c48656746adfa22af9818a3601b39729e2dc5093
                                                          • Instruction ID: cfee4882955295f256346ab5d35a508912345f973a0f1410f6445f43bbb6ad63
                                                          • Opcode Fuzzy Hash: e22ae917082b87936fa41f08c48656746adfa22af9818a3601b39729e2dc5093
                                                          • Instruction Fuzzy Hash: 379124B5E00209EFDF40DFD4DD85BAE7BB8FF18240F604429E60DAA241D7759B849B62
                                                          APIs
                                                          • UnmapViewOfFile.KERNEL32(00000000,00000000,00000000,?,00000018,00000000,00000000,00000000,00000000,00000000,00000018,00000000,00000000,00000000,00000000,00000000), ref: 100226B0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: FileUnmapView
                                                          • String ID:
                                                          • API String ID: 2564024751-0
                                                          • Opcode ID: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                          • Instruction ID: aca3888e1ced534dfb8bff30dc6f5772290e13aa398f14ea119e8b9ebb5f1563
                                                          • Opcode Fuzzy Hash: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                          • Instruction Fuzzy Hash: CED1AF75D40209FBEF219FE0EC46BDDBAB1EB09714F608115F6203A2E0C7B62A549F59
                                                          APIs
                                                          • GetDC.USER32(00000000), ref: 1001A976
                                                          • SelectObject.GDI32(00000000,00000000), ref: 1001A9E8
                                                          • SelectObject.GDI32(00000000,00000000), ref: 1001ABA2
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 1001ABFD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ObjectSelect$Release
                                                          • String ID:
                                                          • API String ID: 3581861777-0
                                                          • Opcode ID: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                          • Instruction ID: 0a28f281d22c81f76b667070ee8f4b39c3514b9b46e69f88ae8cd14bf3a1b365
                                                          • Opcode Fuzzy Hash: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                          • Instruction Fuzzy Hash: 2B9116B0D40309EBDF01EF81DC86BAEBBB1EB0A715F005015F6187A290D3B69691CF96
                                                          APIs
                                                          • GetWindow.USER32(?,00000005), ref: 1001A773
                                                          • IsWindowVisible.USER32(00000000), ref: 1001A7AC
                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 1001A7E9
                                                          • GetWindow.USER32(00000000,00000002), ref: 1001A872
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Window$ProcessThreadVisible
                                                          • String ID:
                                                          • API String ID: 569392824-0
                                                          • Opcode ID: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                          • Instruction ID: 356be4359fdaef5b37944779847d5b641f80ef076249e3ad3302764c89b6051f
                                                          • Opcode Fuzzy Hash: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                          • Instruction Fuzzy Hash: 284105B4D40219EBEB40EF90DC87BAEFBB0FB06711F105065E5097E190E7B19A90CB96
                                                          APIs
                                                          • SystemParametersInfoA.USER32(00000059,00000000,00000000,00000000), ref: 100156E3
                                                          • SystemParametersInfoA.USER32(0000005A,00000000,00000000,00000002), ref: 100158B9
                                                          • UnloadKeyboardLayout.USER32(00000000), ref: 100159A5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: InfoParametersSystem$KeyboardLayoutUnload
                                                          • String ID:
                                                          • API String ID: 1487128349-0
                                                          • Opcode ID: 0226bddf635d607848fcc8a3ce1956f1dfd2ff90d5e67fe2f9c10deefa186aa5
                                                          • Instruction ID: 050fea7ffa1bc3994f10f6bed9b27e470259e4e1db6febdaadab7ec0439d0979
                                                          • Opcode Fuzzy Hash: 0226bddf635d607848fcc8a3ce1956f1dfd2ff90d5e67fe2f9c10deefa186aa5
                                                          • Instruction Fuzzy Hash: 224245B5E40305EBEB00DF94DCC2FAE77A4EF18355F540025E605BF286E776AA448B62
                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,FFFFFFFF,00000000,?,00000000,00000000,00000001,FFFFFFFF,00000000,?,FFFFFFFF,00000000,?,FFFFFFFF,00000000), ref: 10019B06
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: lstrlen
                                                          • String ID: Z$w
                                                          • API String ID: 1659193697-2716038989
                                                          • Opcode ID: 14b0ca790eb9ae8847579f1349c02be75ec1f05ac398c4f3cad0be9f6ca5cf29
                                                          • Instruction ID: 282b89e6495933af6440fbbb597b1de90ef5dffa39cee2d72f7ed257570ffe54
                                                          • Opcode Fuzzy Hash: 14b0ca790eb9ae8847579f1349c02be75ec1f05ac398c4f3cad0be9f6ca5cf29
                                                          • Instruction Fuzzy Hash: 550202B0D0061CDBEB10DFE1E9897EDBBB4FF48340F2140A4E485BA249DB725AA5CB55
                                                          APIs
                                                          • WindowFromDC.USER32(00000000), ref: 100237BF
                                                          • GetCurrentObject.GDI32(00000000,00000007), ref: 100237FF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: CurrentFromObjectWindow
                                                          • String ID:
                                                          • API String ID: 1970099965-0
                                                          • Opcode ID: b4fc28a30c016e0f3434186770363817d1562ad41469c0952657f73b3ef3185f
                                                          • Instruction ID: 5e3447216257589ac88371f0c3b1c154c22f3bd6e68f106655ab8dd4a69be074
                                                          • Opcode Fuzzy Hash: b4fc28a30c016e0f3434186770363817d1562ad41469c0952657f73b3ef3185f
                                                          • Instruction Fuzzy Hash: 9F313770D40308EBDB00DF90D886BADBBB0FB0A751F409065F6087E290E7B19A54DF96
                                                          APIs
                                                          • GetStockObject.GDI32(00000011), ref: 1001ACD1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ObjectStock
                                                          • String ID:
                                                          • API String ID: 3428563643-3916222277
                                                          • Opcode ID: 34811a479ff939bbd0d37306ad3751707146f9b865cac1cf01731385c4780bb4
                                                          • Instruction ID: b9a15d43875d05f13c7aca3fde3137a0688d1b6e1dffe905ed574dcac1c1d11e
                                                          • Opcode Fuzzy Hash: 34811a479ff939bbd0d37306ad3751707146f9b865cac1cf01731385c4780bb4
                                                          • Instruction Fuzzy Hash: AE325BB5A402569FEB00CF98DCC1B99BBF4FF29314F580065E546AB342D379B991CB22
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID: (
                                                          • API String ID: 3535843008-3887548279
                                                          • Opcode ID: 7a332dac4401a920269cba03dc06d0fc5b09a4c31d79a57ea6b303e349c4f0f0
                                                          • Instruction ID: acc8f56f01466ae78c1c2cfb7f14f5a9cb3254fd2462285b483ece6b545600e1
                                                          • Opcode Fuzzy Hash: 7a332dac4401a920269cba03dc06d0fc5b09a4c31d79a57ea6b303e349c4f0f0
                                                          • Instruction Fuzzy Hash: 41220CB5D00219ABEF00DFE4ECC1BAEB775FF18340F504028FA15BA256D776A9608B61
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D531,?), ref: 10025544
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID: Thread
                                                          • API String ID: 367298776-915163573
                                                          • Opcode ID: 0f35051adc867b6f3eb31b1a967cfc10eed751901f350b72bdb8150afa714329
                                                          • Instruction ID: e87a296fab3b19ef06520bc3e141919b3527ea124beb15feda4261f24f1e3c13
                                                          • Opcode Fuzzy Hash: 0f35051adc867b6f3eb31b1a967cfc10eed751901f350b72bdb8150afa714329
                                                          • Instruction Fuzzy Hash: 38F116B5E00259ABEF00DFE4EC81BDDBBB5FF08314F640025F605BA241D7B6A9548B65
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D529,?), ref: 10024841
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID: Process
                                                          • API String ID: 367298776-1235230986
                                                          • Opcode ID: d2f68a8877050e88ca52d3a1b362dc4e0adfd70d905bf2d7a8a251b6a21b3eb8
                                                          • Instruction ID: 84bd04864f9d1e807072be8e5ab147b3cae892089b2f3c2b5496a308401e609c
                                                          • Opcode Fuzzy Hash: d2f68a8877050e88ca52d3a1b362dc4e0adfd70d905bf2d7a8a251b6a21b3eb8
                                                          • Instruction Fuzzy Hash: 85E104B5E41259ABEF00DFE4EC81B9DBBB5FF08304F640025F605BA241EB75A954CB61
                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,000000FF,00000000,?,00000000,00000000,?,0000009C,00000000,?,?,FFFFFF9C,00000000), ref: 10026700
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: lstrlen
                                                          • String ID: #
                                                          • API String ID: 1659193697-1885708031
                                                          • Opcode ID: 7e6295f5caa4a652e8defb0c53b8757dc8115242becb546e1cd2ddf94898e13d
                                                          • Instruction ID: 30fcd15e93819707c4a405128049bbda1367cf8e2b4a4446b34ba685154cf5d7
                                                          • Opcode Fuzzy Hash: 7e6295f5caa4a652e8defb0c53b8757dc8115242becb546e1cd2ddf94898e13d
                                                          • Instruction Fuzzy Hash: 2232CF70D0061DEBEB10DFD0EC99BADBBB4FF48340F618094E495BA199CB715AB58B14
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,10007D8B,00000000), ref: 10007EA0
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,FFFFFFFF,10007D8B,00000000,00000000,00000000,00000000,00000000), ref: 10007F7E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide
                                                          • String ID:
                                                          • API String ID: 626452242-0
                                                          • Opcode ID: bda0d135b53912d681397df84b39cfb901c8e1d28ca02e616f5f005ca4c51389
                                                          • Instruction ID: b3f739b553b0eb222627b335ec04950199b8c6fc0fb38b6c76c83e211291c2b2
                                                          • Opcode Fuzzy Hash: bda0d135b53912d681397df84b39cfb901c8e1d28ca02e616f5f005ca4c51389
                                                          • Instruction Fuzzy Hash: 62417C74E0020DFBEB10DFD0EC46BAEBBB4FB08750F204165F618BA195DBB56A608B55
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001368C
                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 10013744
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide
                                                          • String ID:
                                                          • API String ID: 626452242-0
                                                          • Opcode ID: 29862c888924d45c4ba2e300f17eb5bcd02a481ba966d84d668dfe1bb4d5aab7
                                                          • Instruction ID: dea56998412ea2cd2e2e07e98f2853e180ac33eb45cb94fa257388ef996dc557
                                                          • Opcode Fuzzy Hash: 29862c888924d45c4ba2e300f17eb5bcd02a481ba966d84d668dfe1bb4d5aab7
                                                          • Instruction Fuzzy Hash: 543141B5E40309BBEB50DFD49C82FAE7BB4EB04710F108055FA18BE2C1D7B6A6909B55
                                                          APIs
                                                          • ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,?,?,?,100172C1,00000000,00000000,00000000), ref: 10017D82
                                                          • ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,100172C1), ref: 10017E29
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: EnvironmentExpandStrings
                                                          • String ID:
                                                          • API String ID: 237503144-0
                                                          • Opcode ID: 69d3f48662c60aa8471e2db2691721ec0b878157a118ab2c20fe49b153d34404
                                                          • Instruction ID: 93bfbce67b494b6763231a081cd11fe6566247fc84b5e7443ef84a885c003b65
                                                          • Opcode Fuzzy Hash: 69d3f48662c60aa8471e2db2691721ec0b878157a118ab2c20fe49b153d34404
                                                          • Instruction Fuzzy Hash: 96313675E00309BBEB51DED49C82FAE7BF4EF08704F104065FA08BB242D772AA509B55
                                                          APIs
                                                          • DispatchMessageA.USER32(1001176C), ref: 100116D4
                                                          • CallWindowProcA.USER32(?,?,?,?), ref: 10011714
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: CallDispatchMessageProcWindow
                                                          • String ID:
                                                          • API String ID: 3568206097-0
                                                          • Opcode ID: 4482fe2aa797ff1df0b8a016cfba6ab4f1edf6d8360ca980b76e75974128ba22
                                                          • Instruction ID: 63bf1ad0f6820a7cfc32d841282287ffa4cda79eab35e4a2f1e5c3704b1abdfe
                                                          • Opcode Fuzzy Hash: 4482fe2aa797ff1df0b8a016cfba6ab4f1edf6d8360ca980b76e75974128ba22
                                                          • Instruction Fuzzy Hash: AE21C775E40318EBDB00EF94DCC2A9DBBB1FB0D310F5040A5EA08AB351D371AA90DB52
                                                          APIs
                                                          • ReleaseMutex.KERNEL32(?,?,10026B6B), ref: 100141AB
                                                          • NtClose.NTDLL(?), ref: 100141D7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: CloseMutexRelease
                                                          • String ID:
                                                          • API String ID: 2985832019-0
                                                          • Opcode ID: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                          • Instruction ID: 38ac61447b851c898caa1bdb063a432cf123be9b48bf26603be34453f4d11833
                                                          • Opcode Fuzzy Hash: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                          • Instruction Fuzzy Hash: 69F08CB0E41308F7DA00AF50DC03B7DBA30EB16751F105021FA087E0A0DBB29A659A9A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: 1d3d201b3cf0f4e34ced4be5fd0ab536c8b491c3572058b51f69840eb97b3778
                                                          • Instruction ID: 90b3556d9a436454375a3f12806074c3db2d9078b135128fdcdde92096655a79
                                                          • Opcode Fuzzy Hash: 1d3d201b3cf0f4e34ced4be5fd0ab536c8b491c3572058b51f69840eb97b3778
                                                          • Instruction Fuzzy Hash: 52C2B7B4F40346ABFB11CA94DCC2B9E77B0EB08390F214165F658FA2DAD7B15E408B56
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000000,00000000,?,?,?,100078F7,00000000,00000000,00000000), ref: 10002169
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000002,00000000,00000000,?,?,?,?,?,?,?,100078F7), ref: 1000222A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide
                                                          • String ID:
                                                          • API String ID: 626452242-0
                                                          • Opcode ID: e01d84eb64cce406f4b39f0ec6733233002c155c01e245fd4058cdbcce10abd4
                                                          • Instruction ID: e83377b6f6ad2707753203cfccfcc485ecbfcdf7635717af9e37d537513bb723
                                                          • Opcode Fuzzy Hash: e01d84eb64cce406f4b39f0ec6733233002c155c01e245fd4058cdbcce10abd4
                                                          • Instruction Fuzzy Hash: 29814D75E00209ABEF00DFD4DC86FEEBBB4EF08340F504065FA14BA285D7B5AA548B55
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D519,?), ref: 1001DD15
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: 9c37b9bfe50d47b947943e5bde51b1b3a93ad00f865aaf561d5891f7ad451c75
                                                          • Instruction ID: 7a99189caa79d54ac912ebbbba7bdc920c16141239c7c74b934a59564cf638f4
                                                          • Opcode Fuzzy Hash: 9c37b9bfe50d47b947943e5bde51b1b3a93ad00f865aaf561d5891f7ad451c75
                                                          • Instruction Fuzzy Hash: 2A6238B5E40348ABEB10DF94DC82F9DBBB5FF08344F244025F608BE292E7B5A9558B51
                                                          APIs
                                                          • PathFindFileNameA.SHLWAPI(00000000,?,00000000,00000000,00000000,00000000,0000001C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001C7F6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: FileFindNamePath
                                                          • String ID:
                                                          • API String ID: 1422272338-0
                                                          • Opcode ID: 6281f69430544266c8e70e44c834c9405fb1c3bbdf4b57ac0b35b949c557e014
                                                          • Instruction ID: f98056538ddd495e24e8dfbf0cad4fd33bc614c33abef30b02bddadc29e55c32
                                                          • Opcode Fuzzy Hash: 6281f69430544266c8e70e44c834c9405fb1c3bbdf4b57ac0b35b949c557e014
                                                          • Instruction Fuzzy Hash: 364240B5A40219ABEB00DF94ECC2F9EB7B4FF5C354F140025EA09BF241E775A9508B66
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D535,?), ref: 10025AFF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: 1d3983c04ef36cd81e02ff80b8e386635ef27858c32e0cbda266982c8d298185
                                                          • Instruction ID: ec57d409bd248faccfe3f0420db7539557fe035a6b0d78d3a35a1a7dfc2ec437
                                                          • Opcode Fuzzy Hash: 1d3983c04ef36cd81e02ff80b8e386635ef27858c32e0cbda266982c8d298185
                                                          • Instruction Fuzzy Hash: AC5208B5E00208ABEF01DF94EC82FDDBBB5FF08314F544029F614BA292D7B5A9548B65
                                                          APIs
                                                          • LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000000,00000000,00000000), ref: 1001D53E
                                                            • Part of subcall function 10001D56: IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: CodeLibraryLoad
                                                          • String ID:
                                                          • API String ID: 4269728939-0
                                                          • Opcode ID: 65fad49489424e2679975017eff27f475cb1f496b382636ee17d060b9eab1fb1
                                                          • Instruction ID: 8ca3c93d7244418e6012e556740facccd0f38a3c9c4ff1909e44a403dc44f6d3
                                                          • Opcode Fuzzy Hash: 65fad49489424e2679975017eff27f475cb1f496b382636ee17d060b9eab1fb1
                                                          • Instruction Fuzzy Hash: BC421AB5E40318AFEF50EF94DC82BDDBBB1FB08740F500125F618BA295D7B6A9808B55
                                                          APIs
                                                            • Part of subcall function 10028720: atoi.MSVCRT(00000000), ref: 1002877E
                                                          • RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 1000918C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: MemoryMoveatoi
                                                          • String ID:
                                                          • API String ID: 2867837884-0
                                                          • Opcode ID: f552e5f7024ba99e615796b6465fd8c68d714aa37df417cf295f447d032c11c8
                                                          • Instruction ID: c625aa631b3fd7664a23ceac8d029317df328e953ac31412f977eb30fe789f83
                                                          • Opcode Fuzzy Hash: f552e5f7024ba99e615796b6465fd8c68d714aa37df417cf295f447d032c11c8
                                                          • Instruction Fuzzy Hash: 1A023DB5A40216AFFB00DF94DCC1BAEB7A5FF58354F240025E905AB385E7B5B950CB22
                                                          APIs
                                                          • RtlMoveMemory.NTDLL(00000000), ref: 1000665A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: MemoryMove
                                                          • String ID:
                                                          • API String ID: 1951056069-0
                                                          • Opcode ID: eb4082b09fd2d382939d01306d0fc3fdf797f862dfdaeaedf174d431bc084b9e
                                                          • Instruction ID: de403b7ac96d81ad167a5567031b13b093eba99a0845d2f8fdd956dd85fb778c
                                                          • Opcode Fuzzy Hash: eb4082b09fd2d382939d01306d0fc3fdf797f862dfdaeaedf174d431bc084b9e
                                                          • Instruction Fuzzy Hash: 12B151B5A812969BFF00CF58DCC1B95B7E1EF69324B291470E846AF344D378B861DB21
                                                          APIs
                                                          • GetKeyboardLayoutList.USER32(00000040,?,00000000,00000000), ref: 10015BEE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: KeyboardLayoutList
                                                          • String ID:
                                                          • API String ID: 4253248152-0
                                                          • Opcode ID: 44a60376c71096be39f78b695e39bf06f4d8816049d5a531e66a3b74c91e060c
                                                          • Instruction ID: 3f0b898e91331e47705899626b39ccd446a255f5e12301d86a1815f33d743008
                                                          • Opcode Fuzzy Hash: 44a60376c71096be39f78b695e39bf06f4d8816049d5a531e66a3b74c91e060c
                                                          • Instruction Fuzzy Hash: 487158F6E00205AFEB00DFA4ECC2BAE77E5EF58251F540025E609EF341E775A9448B62
                                                          APIs
                                                          • LdrGetProcedureAddress.NTDLL(00000000,00000000,00000000), ref: 10006115
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: AddressProcedure
                                                          • String ID:
                                                          • API String ID: 3653107232-0
                                                          • Opcode ID: b0fdcc2e6f29255798221e87a4cc1c59c4c258f69b8f0650fd83bedbacb84739
                                                          • Instruction ID: 78c0987cb7ffc063797d9a6f9d393f2066e6151a443f59dc1fc5ba499ae867df
                                                          • Opcode Fuzzy Hash: b0fdcc2e6f29255798221e87a4cc1c59c4c258f69b8f0650fd83bedbacb84739
                                                          • Instruction Fuzzy Hash: 564146B5D40209AFEB00DFD4EC81BAEB7B5FF18314F244065E909AB245D375AA54CB62
                                                          APIs
                                                          • LdrGetDllHandleEx.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 1000B6DF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Handle
                                                          • String ID:
                                                          • API String ID: 2519475695-0
                                                          • Opcode ID: 9cc028ce4cef6fd72751e9c02f2673b6ffa45c8eaa4f1332740a5ce7082965a9
                                                          • Instruction ID: f5b1eeb52ae3afd7add8d8d659320dd3d1fa50eb2e7bb74abf840f5972d141ec
                                                          • Opcode Fuzzy Hash: 9cc028ce4cef6fd72751e9c02f2673b6ffa45c8eaa4f1332740a5ce7082965a9
                                                          • Instruction Fuzzy Hash: 6B312FF6D40205ABEB40DF94ECC2B9AB7F8FF18314F184065E90DAB341E375A9548B62
                                                          APIs
                                                          • RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ComputeCrc32
                                                          • String ID:
                                                          • API String ID: 660108262-0
                                                          • Opcode ID: 3b3c4a398f2c335a2580c0c2c9e01d6ed997776affae00ca87f118d2e0373c7b
                                                          • Instruction ID: 885f51156191be290847c32039febb9a430df116088fdaca21ba1fa0fc310e03
                                                          • Opcode Fuzzy Hash: 3b3c4a398f2c335a2580c0c2c9e01d6ed997776affae00ca87f118d2e0373c7b
                                                          • Instruction Fuzzy Hash: FE3149B5E00309BBEB51DFD49C82FBE77B8EF14740F104068FA18BA242D7B6A6509B51
                                                          APIs
                                                          • GetSystemDirectoryA.KERNEL32(00000000,00000100), ref: 10018935
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: DirectorySystem
                                                          • String ID:
                                                          • API String ID: 2188284642-0
                                                          • Opcode ID: 2c93ccefffdd24751a113a6a8b127da9d46669cbde7100af002d9a110044543e
                                                          • Instruction ID: ee8817d9cef94c28fb543e8b0ac086dfa591c469ffb5e13cc4bb05c5ca752fcb
                                                          • Opcode Fuzzy Hash: 2c93ccefffdd24751a113a6a8b127da9d46669cbde7100af002d9a110044543e
                                                          • Instruction Fuzzy Hash: 2F115875E00309BBEB40DEE49C42BAD76A8EB08754F241469F608FB241D771AB809756
                                                          APIs
                                                          • IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Code
                                                          • String ID:
                                                          • API String ID: 3609698214-0
                                                          • Opcode ID: a6e85c84f7705da1f0b0ef0dca21cf6d2d6468ef5f288cf7089c26cb1776d2a9
                                                          • Instruction ID: e6d0952806afafb3bf167878436ee8aac056beef16ad5c6831721f9da55ad4d1
                                                          • Opcode Fuzzy Hash: a6e85c84f7705da1f0b0ef0dca21cf6d2d6468ef5f288cf7089c26cb1776d2a9
                                                          • Instruction Fuzzy Hash: E8118B70900209FBEB60DF64CC05BED7BB4EF01390F2041AAED08AA1D4DB729A15DB85
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D4C9,?), ref: 10013C79
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: 8f3db6529a380ad884801686893290e76bb9e31a8db3e312d6667318ca493a2c
                                                          • Instruction ID: 374fef4b2e02d52e2e07c0ca9dad6c55ed4794edc6ac8ae58a0c039705d7fb64
                                                          • Opcode Fuzzy Hash: 8f3db6529a380ad884801686893290e76bb9e31a8db3e312d6667318ca493a2c
                                                          • Instruction Fuzzy Hash: CC0171B5E0020DABDB00FFE09D82BAEBBB9EB04301F404466F50876105EB71EA549B92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D50D,?), ref: 1001A092
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: 5f714afee4867c402fc67ecef455e1855603a07155a017b7538eac9aa4686da4
                                                          • Instruction ID: cb7720b851b721871b731c706f7cbe3d90cdbd700e2746e4ab45e97b10e25004
                                                          • Opcode Fuzzy Hash: 5f714afee4867c402fc67ecef455e1855603a07155a017b7538eac9aa4686da4
                                                          • Instruction Fuzzy Hash: 5C018DB5D00218ABDB11FFD09C82B9E77B8EB09341F804466F50476111D7719B988792
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D51D,00000040), ref: 100228E3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: 194b0fc893c5977093f79026a72dc70755a1496586ec811bd8de5678d100e2c9
                                                          • Instruction ID: c1b15002a30057ddc80440081b4ff6bc33ecde6fccf9cd62e387e343abd0d63a
                                                          • Opcode Fuzzy Hash: 194b0fc893c5977093f79026a72dc70755a1496586ec811bd8de5678d100e2c9
                                                          • Instruction Fuzzy Hash: DF014DB5D0021DFBEB10EFE0AC82B9E7778EB14644F904066F50466151EB719B549B91
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D3FD,08000000), ref: 10006CF7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: 23192da6ecbc83458441ebdd5d9c372dffc65ab0074d72a51acdd461767757be
                                                          • Instruction ID: 4cade7ef096b15f562c821cb4de08ab4d3fc558eeb9d0de8a70c828ff9c11a3c
                                                          • Opcode Fuzzy Hash: 23192da6ecbc83458441ebdd5d9c372dffc65ab0074d72a51acdd461767757be
                                                          • Instruction Fuzzy Hash: 170175B5E0020DEBEB00EFE0EC82FAE7B79EF04240F504066E51566105D771AB549B92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D481,00000000), ref: 1000FD11
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: 4a2eef44144669db4c1f9733a33db670b7915dec5e8fa15a72f47dd6e77bff96
                                                          • Instruction ID: 0aed2d4544eee8039acc50f3c1f3685790efcc1e5774387d789b9b1403c596f7
                                                          • Opcode Fuzzy Hash: 4a2eef44144669db4c1f9733a33db670b7915dec5e8fa15a72f47dd6e77bff96
                                                          • Instruction Fuzzy Hash: 9A0188B5D0430DABEB10FFE09C82FAE7779EB04280F40046BF505A6505DB71AA14EB92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D3E1,00000004), ref: 10003177
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: da42de84fdc45480a06cd4378e972f835c842b750d11b0a6ad2ad2daa698017b
                                                          • Instruction ID: 385097fba51063c84e9e930c69dc2d7aac367372f62906f312b1c310141ed2ce
                                                          • Opcode Fuzzy Hash: da42de84fdc45480a06cd4378e972f835c842b750d11b0a6ad2ad2daa698017b
                                                          • Instruction Fuzzy Hash: 40015275D00208E7EB01EFE09C92BEF7B78EB08280F404066E51566155DB71AA149B92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D485,00000000), ref: 1000FDAE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: 1a48310d62d447e18139df79d4c208d7064efbc4de3590175f6bd695f184c1e5
                                                          • Instruction ID: 3f7b499d2902c1e46d25e5c31060a7ca09a1136a131adf16b63838e7b32e6cd5
                                                          • Opcode Fuzzy Hash: 1a48310d62d447e18139df79d4c208d7064efbc4de3590175f6bd695f184c1e5
                                                          • Instruction Fuzzy Hash: 0B018875D0024CABEB00FFE0DC82EAE7779EB05380F50006AF505A6115DB716A54EB92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D43D,?), ref: 10008E04
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: afcca2c59449e325cff3936334e354c9cd28eb17edf5175cf760837ed83860e1
                                                          • Instruction ID: 4c97a0654b066084171f968f8b0ad47121c2de6078470ba5a976a0987d87b010
                                                          • Opcode Fuzzy Hash: afcca2c59449e325cff3936334e354c9cd28eb17edf5175cf760837ed83860e1
                                                          • Instruction Fuzzy Hash: EC0175B5D00219E7EB00FFE0EC82BAE7B78FB14240F504466F54566145EB716B549B92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D40D,00000008), ref: 10007E19
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: c28a3b2f2e25cb6acfcff6b005e4e53fcd9242a91f843676d212f9070d1610bf
                                                          • Instruction ID: 3b8a368ce3914a44cda768e978636fd60f477d925661c7c420499c797e447cb4
                                                          • Opcode Fuzzy Hash: c28a3b2f2e25cb6acfcff6b005e4e53fcd9242a91f843676d212f9070d1610bf
                                                          • Instruction Fuzzy Hash: 9B0171B5D00249ABEB00FFE0EC82AAEBB78FB04240F404466E60966115DB75AB549B92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D441,?), ref: 10008EA1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: b38c6ebf94637de38798da6e1c23dd87dd1bdd738f4a7bbe3db8cae8409ee598
                                                          • Instruction ID: 1686f6cdf9a679c1f5c84585fd33387023eb604c586a5dba44084a63d2e43e5f
                                                          • Opcode Fuzzy Hash: b38c6ebf94637de38798da6e1c23dd87dd1bdd738f4a7bbe3db8cae8409ee598
                                                          • Instruction Fuzzy Hash: 9C0171B5D00359ABEB10FFE0DC82BAEBB78FB04380F400066E64576115EB71AB54CB92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D47D,00000000), ref: 1000FAD0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: 2ecd14835ddfe2db98adf362f1cc27abc66221ca3baeee4228986d5531294eba
                                                          • Instruction ID: 82e752f980966cf0ba4425328bdbe0b5f15696934bb6f442517d9b0340b204dc
                                                          • Opcode Fuzzy Hash: 2ecd14835ddfe2db98adf362f1cc27abc66221ca3baeee4228986d5531294eba
                                                          • Instruction Fuzzy Hash: 510179B5E00209EBEB00FFE09C82AAEB778EB05240F504466F54566145EBB16654DB92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D521,00000000), ref: 10022AE1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: c21c2a8c4cec09cdedbb30eba6480203a51324f4c4c5902b1b0fefa990e6b838
                                                          • Instruction ID: 1a66ded8f8981fca5c39a2578b95296ca62aec53b1f76630b0cdbd515d7a4f8c
                                                          • Opcode Fuzzy Hash: c21c2a8c4cec09cdedbb30eba6480203a51324f4c4c5902b1b0fefa990e6b838
                                                          • Instruction Fuzzy Hash: D60175B5D00308BBDB11EFE0AC82FEEBB78EB14344F400066E90566501E7B56B14DB92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D4B9,10026CF1), ref: 10011EEA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: 387a02cd27c85a9e9645a962391e1fc87b5c3584c8544df15e9cc9309148cd0f
                                                          • Instruction ID: ae9516facd56fc145b0b9ba1995b908798816dd09d6beae3d77d7b55205b3fe1
                                                          • Opcode Fuzzy Hash: 387a02cd27c85a9e9645a962391e1fc87b5c3584c8544df15e9cc9309148cd0f
                                                          • Instruction Fuzzy Hash: AF0184B5E0420CABDB00FFE0EC82BEEBBB9EB04244F400466F5056A111DB75EA549B92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D525,00000000), ref: 10024745
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: 16372e4eb88579a8b12f2817b7d5f3197544eee2f9c96a83dd2f20b74f294324
                                                          • Instruction ID: 4f30fde94411f2541dcfd4e169ebb1e46575794177a9fc60b21b5106f81313a2
                                                          • Opcode Fuzzy Hash: 16372e4eb88579a8b12f2817b7d5f3197544eee2f9c96a83dd2f20b74f294324
                                                          • Instruction Fuzzy Hash: 1001D8B5D0431CA7DB00FFE0ACC2FAEBB78EB05300F810465E51566101EBB16A14DB92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D435,?), ref: 10008B88
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: c9e7b862b60fe74ed4fe71638f98d4edbead8bac7f3d7a8f9d653b4e1fb7c940
                                                          • Instruction ID: 91e5747cc3fe246938bda6916c84b67a4fdfd623eeedb860250414ba6297eca5
                                                          • Opcode Fuzzy Hash: c9e7b862b60fe74ed4fe71638f98d4edbead8bac7f3d7a8f9d653b4e1fb7c940
                                                          • Instruction Fuzzy Hash: 7B0171B5D0020DABEB50FFE49C82EAEBBB8FB04240F500466E54466115EB71AB14DB92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D411,?), ref: 1000839E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: 278c620e1e7e4d768f896ce18c2c498cb7bc6a05be8e6297497d5f0b97cf32e1
                                                          • Instruction ID: 31dc5b1c38583c82a0824eac09af333b299f07736d69ab93248bda9d1065cdb0
                                                          • Opcode Fuzzy Hash: 278c620e1e7e4d768f896ce18c2c498cb7bc6a05be8e6297497d5f0b97cf32e1
                                                          • Instruction Fuzzy Hash: 390175B5D04308A7EB40FFE09C82AAE7778FB04640F405476F54466145D771AB54CB92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D44D,00000000), ref: 1000B3B4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: 76ce89a9342da98fe2dfecb2c94b98527dad8150a52251657d2f7bd5707e59c8
                                                          • Instruction ID: a0f89ea6e8a02a489adc9b983919e457af64c69ca27a1623b1b8ea733fed46f6
                                                          • Opcode Fuzzy Hash: 76ce89a9342da98fe2dfecb2c94b98527dad8150a52251657d2f7bd5707e59c8
                                                          • Instruction Fuzzy Hash: 5F0184B5D0030CEBEB00FFE0AD92FAEBB78EB04240F504066F50466145DBB1AB54DB92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D4C5,00000014), ref: 10013804
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: df7046381827650c065037a5133842a2a86736d1ba20d916eef21a95625819b6
                                                          • Instruction ID: 3d49d6b3b442fbd771079eef3efcaca9525747ce25c9376b7200e1962427cb25
                                                          • Opcode Fuzzy Hash: df7046381827650c065037a5133842a2a86736d1ba20d916eef21a95625819b6
                                                          • Instruction Fuzzy Hash: 420152B5D04309A7EB00FFE09C82AAEB778EF04240F504066F50466151EB75AA54DB92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D439,?), ref: 10008C25
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: 1ec75bcf5a5c2b71d65e273564a3b3c9b1f3326e431629a853761c1f5ea93f69
                                                          • Instruction ID: e89bca5dfd4d69b457f6ee300803ba63458d7d33b5f739f05a8734b2afd2cb97
                                                          • Opcode Fuzzy Hash: 1ec75bcf5a5c2b71d65e273564a3b3c9b1f3326e431629a853761c1f5ea93f69
                                                          • Instruction Fuzzy Hash: 4C0171B5D00209ABEB00FFE49CC2EAEBB78FB04240F900466E55566116DB71AB549BA6
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D4D9,?), ref: 10014029
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: 2023bc8ebed8db9c71d14d41a16ae57d1e69fa0acd5bbe78306c23398d50d97a
                                                          • Instruction ID: 2564c689c805b87f96d1dc3a9772f8e9f463aef008d258d62ef8b45eff4f05b1
                                                          • Opcode Fuzzy Hash: 2023bc8ebed8db9c71d14d41a16ae57d1e69fa0acd5bbe78306c23398d50d97a
                                                          • Instruction Fuzzy Hash: 8E01D875D0030CA7DB11FFE09C82F9E7779EB08300F400026F615A7112DB75EA549B92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D409,00000001), ref: 10007C2B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: 61d08e19df0a214d9286b1d052d7edc03e2565f5d48c7273754c1c18bed95e81
                                                          • Instruction ID: c3b43e173740565f2226f67ccfeaefedf346a2cdf78e56352eac70fc933f1a03
                                                          • Opcode Fuzzy Hash: 61d08e19df0a214d9286b1d052d7edc03e2565f5d48c7273754c1c18bed95e81
                                                          • Instruction Fuzzy Hash: B0017575D0020CA7FB00FFE09C86F9EBB78FB14340F44446AE61966105E775AA549B92
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D52D,00000000), ref: 10025448
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: c904fddc6ddc8d15f4d357e5ecb68cc14fb2d08915d767a0cb86d415350261cd
                                                          • Instruction ID: 3e1362fdfd7180a89e2653fc66fb6b654d9ba0ea71b3ee1e512a707afa301e7c
                                                          • Opcode Fuzzy Hash: c904fddc6ddc8d15f4d357e5ecb68cc14fb2d08915d767a0cb86d415350261cd
                                                          • Instruction Fuzzy Hash: 730188B5D0021CA7DB00FFE0AC82B9EB7B8EB04345F904467F90566111D7B29A549B96
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D451,00000000), ref: 1000B451
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: 51b26b4892ccffcc6dc83c2534fb8f59ce223cf36af1d5fc13b3d33c47b94d86
                                                          • Instruction ID: 8d0e244bf49903d48fd7c686830ea074e98c76a4a96eec9f774984162f9bf409
                                                          • Opcode Fuzzy Hash: 51b26b4892ccffcc6dc83c2534fb8f59ce223cf36af1d5fc13b3d33c47b94d86
                                                          • Instruction Fuzzy Hash: BF0148B5D0431DABEB00FFE09C82FAEB778EB14340F904465F50566116EB71AB54DB92
                                                          APIs
                                                          • GetAncestor.USER32(100236B8,00000001,?,?,100236B8), ref: 1002371A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Ancestor
                                                          • String ID:
                                                          • API String ID: 4063365101-0
                                                          • Opcode ID: 0be6b4715263265285db1f468f36bdd37c7f824151cbff8a336d8021942bab24
                                                          • Instruction ID: eb8589c6fe16dd3324ac60df81f06840749ea93634a8b87ae7cb4ae9ae9ba44e
                                                          • Opcode Fuzzy Hash: 0be6b4715263265285db1f468f36bdd37c7f824151cbff8a336d8021942bab24
                                                          • Instruction Fuzzy Hash: C3F03CB4E44308EBDB10EF90E9467ADFB70EB06741F509065E6047B180E7B25A509A8A
                                                          APIs
                                                          • CreateMutexA.KERNEL32(00000000,00000000,00000001,00000001,00000000,00000000,00000001), ref: 100101C4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID:
                                                          • API String ID: 1964310414-0
                                                          • Opcode ID: d12216730a6dd428996d56869a6fc80ed1219f4cbb400b599376012f3700107f
                                                          • Instruction ID: 16cce99742d90ffd21a6e538df0c97e42957f62968f0f4cbc8e65f9f29ad9446
                                                          • Opcode Fuzzy Hash: d12216730a6dd428996d56869a6fc80ed1219f4cbb400b599376012f3700107f
                                                          • Instruction Fuzzy Hash: D8F03970E45208FBDB21EF95DC02BADBB74EB05741F1080A5FA087A180D7B5AB509B95
                                                          APIs
                                                          • ReleaseMutex.KERNEL32(?,1000702C), ref: 1000635D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: MutexRelease
                                                          • String ID:
                                                          • API String ID: 1638419-0
                                                          • Opcode ID: 409f3bf5a2a7effd3d518b78c876aaf5ee200c7d662fef1c20eca6aafb3e8a79
                                                          • Instruction ID: 7b3213fa97c1f7abe5e99e727b00606adf76b996470ce0c1231a1946aded7527
                                                          • Opcode Fuzzy Hash: 409f3bf5a2a7effd3d518b78c876aaf5ee200c7d662fef1c20eca6aafb3e8a79
                                                          • Instruction Fuzzy Hash: 3AD017B0D45308B7E610AE90EC03B69BA34D706761F105161FA082A190E6B2AB2496DA
                                                          APIs
                                                          • HeapAlloc.KERNEL32(00000008,00000000), ref: 1000F7E5
                                                            • Part of subcall function 1000FA6F: InterlockedExchange.KERNEL32(1002D47D,00000000), ref: 1000FAD0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: AllocExchangeHeapInterlocked
                                                          • String ID:
                                                          • API String ID: 3051970009-0
                                                          • Opcode ID: 022b8115eb5ce5199829a80c414696cba4458c1422a7b80e9c996825c196cccc
                                                          • Instruction ID: 8cc4e7238832c14419a96c129bec8d194933ec370394a89dab4d823145446c67
                                                          • Opcode Fuzzy Hash: 022b8115eb5ce5199829a80c414696cba4458c1422a7b80e9c996825c196cccc
                                                          • Instruction Fuzzy Hash: 51310270D40209FEFB11DFA0CC02BEDBBB5FB04780F208169F614BA194DBB56A54AB55
                                                          APIs
                                                          • HeapAlloc.KERNEL32(00000008,?,?,10026C94), ref: 1000247B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: AllocHeap
                                                          • String ID:
                                                          • API String ID: 4292702814-0
                                                          • Opcode ID: 0dd204370fe18862268228c1c8de2b552e2688217c670dbeba92eeddf2ae1a81
                                                          • Instruction ID: 104a27a5d458cbbbe33f9f96244b29e3d4c33b82fd0089700704125604d1dba2
                                                          • Opcode Fuzzy Hash: 0dd204370fe18862268228c1c8de2b552e2688217c670dbeba92eeddf2ae1a81
                                                          • Instruction Fuzzy Hash: BDE08634D85308B7E610EF40DC03F29BA38E702751F508012FA083A090D6B25A649B87
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 81006eb9e473d180177001475ccb3f5d85a486848d635e7b77511459b26a50e2
                                                          • Instruction ID: b82dc38e16616ddd987b864122364eac5c1fff58b477e30fd6f02d7e5179368c
                                                          • Opcode Fuzzy Hash: 81006eb9e473d180177001475ccb3f5d85a486848d635e7b77511459b26a50e2
                                                          • Instruction Fuzzy Hash: 85721AB5E40309ABEB00DF94ECC2FDDBBB5EB0C354F644025F604BA296D7B269548B25
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e69f0c751b4262d556ab7d8e659c133a8de82433dc850d146ab5d350a12c39cd
                                                          • Instruction ID: 551f598227d6dd39184c223fb6ed838a91ab17f663f6174eca7434abf6d8a969
                                                          • Opcode Fuzzy Hash: e69f0c751b4262d556ab7d8e659c133a8de82433dc850d146ab5d350a12c39cd
                                                          • Instruction Fuzzy Hash: 40624CB5E41208BBEF11DFD0EC82BDDBBB5EF08354F204029F604BA291D7B5A9958B14
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6d84f2b69ea6095c90f23bd9b6d1a5a8279a6636e2ec472cfa5718089ee139e8
                                                          • Instruction ID: a5955423d14317f839d9afbcb2b9ced9374c1de9beecc9198591da7258e3e5d6
                                                          • Opcode Fuzzy Hash: 6d84f2b69ea6095c90f23bd9b6d1a5a8279a6636e2ec472cfa5718089ee139e8
                                                          • Instruction Fuzzy Hash: 5D32F7B1B412529BFB00CF58ECC0B59B7A5EFA9324F290074E946AF341D379B861DB61
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f04032a532c17935709fed7173e226e9a954ec38d62b032ac7340ce8b9de18a0
                                                          • Instruction ID: 3de84c3e889b2c0bc8bcd444dabd38468fbc88aeca599d708b385d83fa676b17
                                                          • Opcode Fuzzy Hash: f04032a532c17935709fed7173e226e9a954ec38d62b032ac7340ce8b9de18a0
                                                          • Instruction Fuzzy Hash: 8E22F8B2B812529BFB00CB58ECC0B55B7A5EFA5328F290474E9469F341D379F861DB21
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 060caa462227d063eaf04c7f21a9b9660bb70fdd2aceff3ad377bb009bd70efe
                                                          • Instruction ID: 2248021ac5db34a560a572e85a1c1eea5c01ad721331a673fc7f7bdbc18de49f
                                                          • Opcode Fuzzy Hash: 060caa462227d063eaf04c7f21a9b9660bb70fdd2aceff3ad377bb009bd70efe
                                                          • Instruction Fuzzy Hash: 90524471D00259CBEB20CFA4D8857DDBBB0FF48344F2180A4D599BB249DB756AA5CF90
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 09f72d9719a13788e266dacaba0ea585b20990d3c1d733c69aa7536c06bb4951
                                                          • Instruction ID: fa5432d9c06c826fba32fdae05fe74482de4f60f477d8ade94ddac0ef3f6a6e0
                                                          • Opcode Fuzzy Hash: 09f72d9719a13788e266dacaba0ea585b20990d3c1d733c69aa7536c06bb4951
                                                          • Instruction Fuzzy Hash: 602215B5E00309AFEF10CF94DC82BEEBBB0FF09354F204025EA14BA296D77569548B65
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 68d3902ef48eb2b0ea1e98523cf84d220f884a2bc31b4a3403d1743386bbda7f
                                                          • Instruction ID: 15cd058cb613ad93b2deb671447fd93daff6b1ebb966e0e7c4ee6c7ed785d811
                                                          • Opcode Fuzzy Hash: 68d3902ef48eb2b0ea1e98523cf84d220f884a2bc31b4a3403d1743386bbda7f
                                                          • Instruction Fuzzy Hash: BDA160B5E00209ABEB40DEE4DC85FDE7BB8EF08354F144065FA04AA241EB75EB94CB51
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7200f153caa90d48a9700c6273f72d88bef546347f9c4dfa1c1c74185b342bdd
                                                          • Instruction ID: 14e6b09ccae86c50f75a937e7e6fe01258ff4770b1647dfaac81a6f85d8f69f1
                                                          • Opcode Fuzzy Hash: 7200f153caa90d48a9700c6273f72d88bef546347f9c4dfa1c1c74185b342bdd
                                                          • Instruction Fuzzy Hash: 7A911EB5E0020AABEF10DF94DC85B9E7BB5EF18344F204025FA14BB281D775EB948B65
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f29243b0d0ea20511f4cb1106b1515d46eb23fc76d8db8d1afdd2d9a1039e213
                                                          • Instruction ID: 03d07b771d78d2ead9be031f4861621435dfbb7e08fb32216ea170559a01278e
                                                          • Opcode Fuzzy Hash: f29243b0d0ea20511f4cb1106b1515d46eb23fc76d8db8d1afdd2d9a1039e213
                                                          • Instruction Fuzzy Hash: 078123B5E4025AABEF00CF94ECC1B9DBBB4FF19310F640025E549BB245D775A851CB25
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bd0974059ae252d5b90eb8f6432f6ddda83af5d10b71b803c1f1bc6c84e1fa75
                                                          • Instruction ID: fa026d6154386471c9ed67b0d764591261ae5350a3fbb2125f892fb7990afb2f
                                                          • Opcode Fuzzy Hash: bd0974059ae252d5b90eb8f6432f6ddda83af5d10b71b803c1f1bc6c84e1fa75
                                                          • Instruction Fuzzy Hash: 7D7135B5E4125AABEF00DFA8ECC1B9DBBB4FF18310F650025E545BB241DB75A851CB21
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ObjectSelect
                                                          • String ID:
                                                          • API String ID: 1517587568-0
                                                          • Opcode ID: 355770622b8ee66c6704d228f7a4cf4399a8d1d5d808ebab5a82fa4d81647a92
                                                          • Instruction ID: 38d14c2f8622cd03f50353335eeab2373c5cbc47d148ebdcbde86e05c5d9d7ee
                                                          • Opcode Fuzzy Hash: 355770622b8ee66c6704d228f7a4cf4399a8d1d5d808ebab5a82fa4d81647a92
                                                          • Instruction Fuzzy Hash: 4E6134B1E40349ABEB10DFE4DC86FEF76F4EB05704F500425F615BA281D7B6AA848B52
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ComputeCrc32CreateMutex
                                                          • String ID:
                                                          • API String ID: 2647859408-0
                                                          • Opcode ID: fb765643ddb528c65f4c8254d2e67b215b37ca112bcddd59e63a3746b6e22e82
                                                          • Instruction ID: 6e8f39effab6ffe8abe8ce8b2f006d743ef601de1a83054572dbacb1371b805f
                                                          • Opcode Fuzzy Hash: fb765643ddb528c65f4c8254d2e67b215b37ca112bcddd59e63a3746b6e22e82
                                                          • Instruction Fuzzy Hash: FA611274E40319EBEB00EF91DC87BEEBB71EB05750F200026F6147A191D7B1AA51DB96
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 177ff9bcddc0062e541eb72a297809aa775245e2e6d8d1f130c2bdda6e790eca
                                                          • Instruction ID: b3edc6188f52fe0267c65f768a9f0694fa0e22adacd15ae2cea2a64ff053d747
                                                          • Opcode Fuzzy Hash: 177ff9bcddc0062e541eb72a297809aa775245e2e6d8d1f130c2bdda6e790eca
                                                          • Instruction Fuzzy Hash: E4512774E40316ABEB10CF94DC96FAE77B4EF04700F604019FA49BE291D7F59A948B92
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 999cff3d56ebaad1770f9eebce6b814e78184f0733c47f680aeb2efe81abf9bb
                                                          • Instruction ID: 3ff1e0272834ebdf1ae0fa1b74ff5d017005019b99e03679453d0ba0a45af6fd
                                                          • Opcode Fuzzy Hash: 999cff3d56ebaad1770f9eebce6b814e78184f0733c47f680aeb2efe81abf9bb
                                                          • Instruction Fuzzy Hash: E2512EB5D0021AABEB00DF94DCC1BAE77B4FF18314F140465E508EB301E775AA50CB62
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 848507941d9fbffb7cbc7b29cbefd203ef99eb4224134117eb04a7a1748b5fdf
                                                          • Instruction ID: 740361c2a2a7975ea98c5d6579f5497acae074faf2527958cbce1f24f1a7fcbb
                                                          • Opcode Fuzzy Hash: 848507941d9fbffb7cbc7b29cbefd203ef99eb4224134117eb04a7a1748b5fdf
                                                          • Instruction Fuzzy Hash: 84516B75E00209EBEB00CF94DC86FAE77F4EB05344F654055F914BE281E776DA948B62
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c551d9ee4e18ac04d199571815a8ce167b17ea29bf87976a5931350147ad1b07
                                                          • Instruction ID: 6e2a16805fa032cb188a6ab09911055340e312e86faa01d054a0585f1b90ccec
                                                          • Opcode Fuzzy Hash: c551d9ee4e18ac04d199571815a8ce167b17ea29bf87976a5931350147ad1b07
                                                          • Instruction Fuzzy Hash: 14312270D44609EBEF00EF80DC46BAEBB71EB06355F205169FA043A191D3B64A54DF9A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4f752ba2bd3efe35c0db813093cd95cfd95bebb34e1c0840b79ae46e9a3f7aa2
                                                          • Instruction ID: fcd9660d6a72fe45eefc1d8f4cbc8b5498bd8d2469cb5e857af72b9432f5bd19
                                                          • Opcode Fuzzy Hash: 4f752ba2bd3efe35c0db813093cd95cfd95bebb34e1c0840b79ae46e9a3f7aa2
                                                          • Instruction Fuzzy Hash: F3313575E40308AFEB50DF94DC82B9DBBB4EB0C741F504065F608EB745E7B59A409B52
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bcbbfe027ddbde3ca2b7ee6e7a9b101e6e640faf627c7a0eeba07689440a2c60
                                                          • Instruction ID: 0e6d90bd3a1296b327673a782b8a2de37a0e9d786c9d2f722c0ab1c87383cc98
                                                          • Opcode Fuzzy Hash: bcbbfe027ddbde3ca2b7ee6e7a9b101e6e640faf627c7a0eeba07689440a2c60
                                                          • Instruction Fuzzy Hash: 69317375E40308AFEB40DF94DC82B9EBBB4EB08340F504075E608EB696E3B56A409B52
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 918643da65e37feeb39471fc9b76e24dac407e2b29faf6ea47c3fc6075c6ae67
                                                          • Instruction ID: f5bd11c3930f14deff6542fe37b9d91d6d9d9f7f47c674184f68d859604aa839
                                                          • Opcode Fuzzy Hash: 918643da65e37feeb39471fc9b76e24dac407e2b29faf6ea47c3fc6075c6ae67
                                                          • Instruction Fuzzy Hash: 8821F975A04209EFEB41CF90CD82BAE77F8EB05754F244015B908BA181E7B5EAD09B62
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ef8a370add3d5418976353e0fc23bf6dee6b9d923330f9d60947765b51f42246
                                                          • Instruction ID: cb764db9af18425858f0870d561dcf750e8236d090e6b6f48ce3485ee4cf3179
                                                          • Opcode Fuzzy Hash: ef8a370add3d5418976353e0fc23bf6dee6b9d923330f9d60947765b51f42246
                                                          • Instruction Fuzzy Hash: 7E114634845224FBEA11FF90DC42B68BBA1E712345F215067F6042A0B5DBB2ADD6DA42
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 37003275f3eaa72a6ef67eca1d876927b20d3cea41f567a5b2a029eb66a1c75e
                                                          • Instruction ID: eeae7fc577553641f4f664837c49950aecc16b69e97dd8631aebf4018e73b438
                                                          • Opcode Fuzzy Hash: 37003275f3eaa72a6ef67eca1d876927b20d3cea41f567a5b2a029eb66a1c75e
                                                          • Instruction Fuzzy Hash: FA2137B090060AEAFB10DFA0C844BEEBAB8FB05380F204271F990A6198D7349AD5D754
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5e64809ee3449bf2a7df32ff2943633b8c15e644a62c7bb0cedcca55993e9baa
                                                          • Instruction ID: ba505964bce734d70dae5fb9ba97fd24188bee46f8c6b217aecce00d80479512
                                                          • Opcode Fuzzy Hash: 5e64809ee3449bf2a7df32ff2943633b8c15e644a62c7bb0cedcca55993e9baa
                                                          • Instruction Fuzzy Hash: C9112875D00208FBEF00DF90C84579DBBB0EB05345F508069F908AE290DB759B94DB91
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e2f1484a5e89f92b7548bae6589aecaccf6235fa81f97c2c0215c37c853ae1f6
                                                          • Instruction ID: 8996d56321af788ecdb48f59df6a7f6deac0e56e76c4d4795bf28b9d59f37b7c
                                                          • Opcode Fuzzy Hash: e2f1484a5e89f92b7548bae6589aecaccf6235fa81f97c2c0215c37c853ae1f6
                                                          • Instruction Fuzzy Hash: D3110975D0020DABEB00DFD0DC46BAEBBB8FF04704F104455F914BA190E7B2AB549B91
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dea71471854b7794d7273d518db6e4b972dc62c76027c577b271c860ea424262
                                                          • Instruction ID: aa05f780bf07b04a9dbad2cba23d858d9fb5007feb3f8ac9aeeac6949bb19c5c
                                                          • Opcode Fuzzy Hash: dea71471854b7794d7273d518db6e4b972dc62c76027c577b271c860ea424262
                                                          • Instruction Fuzzy Hash: 07015335980208FBEF11DFA1DD02BDEBB74EB00350F108022BA146E1A0D772DAA0ABC1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 621178d27eafce4a1d86bdd6d4636c6e0afcccb944ec7a99f9e7a057a9f1ad00
                                                          • Instruction ID: f86e8bef0b9f5b7b48e3b9b3acc0b6cb1fd06cabc4355fe6e2609782588421e0
                                                          • Opcode Fuzzy Hash: 621178d27eafce4a1d86bdd6d4636c6e0afcccb944ec7a99f9e7a057a9f1ad00
                                                          • Instruction Fuzzy Hash: B401EC7594020CBEEF11DF80DC42FEDBB79EB09740F108051FA046D091D7B29AA5AB95
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7397f0f5fb6be8bcaaa4e77a6887201b2645371ef3c2632b50f96f60a1aee293
                                                          • Instruction ID: e7353d8a689e469959c960a5bb5359493e28a0ae3a5db89d5c895ffd79e8d98e
                                                          • Opcode Fuzzy Hash: 7397f0f5fb6be8bcaaa4e77a6887201b2645371ef3c2632b50f96f60a1aee293
                                                          • Instruction Fuzzy Hash: 64F04970D00208FBEB10DF90CC06BADBFB0EB01341F204065F9007A1A0D7B6AB94DB85
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2d443f961325e826377ab455a3b784cc22cadc769fa486d24d41cd9801f717dc
                                                          • Instruction ID: 682ee749917f4e023bc7197140f76a097522797ecf20c1f45cbbd45c019d52a4
                                                          • Opcode Fuzzy Hash: 2d443f961325e826377ab455a3b784cc22cadc769fa486d24d41cd9801f717dc
                                                          • Instruction Fuzzy Hash: 3CF0FE74D44258EBDB14EE90D8057EDBA74E706305F504266EA04AE190D3B18BA4DB96
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7cdb49a0a6253429c80267c98a25499fd9d93a71a0b292b5a728f2a2f59ffa35
                                                          • Instruction ID: 02fc14b9e54e6900d73ffd4e28a19c8708dbe27031dd51c44bf3dba7fdb031ba
                                                          • Opcode Fuzzy Hash: 7cdb49a0a6253429c80267c98a25499fd9d93a71a0b292b5a728f2a2f59ffa35
                                                          • Instruction Fuzzy Hash: ECF05474A00308FBEB21CF94CD81B9CBBB0EF09300F2080E4FE0467381E6B15A509B51
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 19f0f76c576cdd84307bd26bd9b5886d4290dca15e1ac3f3f611f9243f0388a9
                                                          • Instruction ID: bbfaceb90791bb35eed418166a23c42ee1e6653db07919fbe020635ad9369783
                                                          • Opcode Fuzzy Hash: 19f0f76c576cdd84307bd26bd9b5886d4290dca15e1ac3f3f611f9243f0388a9
                                                          • Instruction Fuzzy Hash: B9F03975D00218EBDB00EE90D80ABAEBA78EB15301F100465EA086E190D3B59B54DA96
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 07f80700cc5210cda7409edc569743553da25c12f3afe71f335ab42793a68d5e
                                                          • Instruction ID: 33dc01a3c2299a3cd355405e5767cb27c6d7fba89f237eed4e622fd5132f0db0
                                                          • Opcode Fuzzy Hash: 07f80700cc5210cda7409edc569743553da25c12f3afe71f335ab42793a68d5e
                                                          • Instruction Fuzzy Hash: 5AE08C34D49308B7D610EF40AC87B28BA35E706701F505056FA043A090E7F2AA649A8A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 13fe8401390d9f71333325ae1b2cb84fa7ba5aa184835648c676b8c7a690914e
                                                          • Instruction ID: 761fadcd4debd2308a54b226b4f8dff580185d7010702b48f65d1b5b1071df53
                                                          • Opcode Fuzzy Hash: 13fe8401390d9f71333325ae1b2cb84fa7ba5aa184835648c676b8c7a690914e
                                                          • Instruction Fuzzy Hash: 66E08C34D45308B7D610EF50EC43B6CBB34E707700F108056FA083A1A0D7B29E60ABCA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 989ed4646566f77c2ab72184739a9137b5d7eae5940c08cbaa9d6fc56a31f36c
                                                          • Instruction ID: 1fae9ae4253266a87bc96311d46508b5db8f13d56845d8971887a42445dbbd4a
                                                          • Opcode Fuzzy Hash: 989ed4646566f77c2ab72184739a9137b5d7eae5940c08cbaa9d6fc56a31f36c
                                                          • Instruction Fuzzy Hash: 7DD05B70D45218F7DA10EF54AC03B39BB34D707761F205261FB143E1D5D6B25920D5DA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e24509eb4154e54e63d34a257df7f67858844c9b410712c520ef3551b56a8a9a
                                                          • Instruction ID: 2a9e0740773b8b6f5e110bd1e2332ab73de667f723c53b2bed2784798aa44a4a
                                                          • Opcode Fuzzy Hash: e24509eb4154e54e63d34a257df7f67858844c9b410712c520ef3551b56a8a9a
                                                          • Instruction Fuzzy Hash: 90B01232125BD44EC1038309C423B11B7ECE300D48F090090D451C7542C14CF610C494
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?), ref: 10029652
                                                          • LoadLibraryA.KERNEL32(?), ref: 1002965F
                                                          • wsprintfA.USER32 ref: 10029676
                                                          • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002968C
                                                            • Part of subcall function 10027B10: ExitProcess.KERNEL32 ref: 10027B25
                                                          • atoi.MSVCRT(?), ref: 100296CB
                                                          • strchr.MSVCRT ref: 10029703
                                                          • GetProcAddress.KERNEL32(00000000,00000040), ref: 10029721
                                                          • wsprintfA.USER32 ref: 10029739
                                                          • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002974F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
                                                          • String ID: DLL ERROR
                                                          • API String ID: 3187504500-4092134112
                                                          • Opcode ID: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                          • Instruction ID: 2d8d4974cead62a1b0d3c1b872151993aa02a2f76add0cb6c4d459240c98e11b
                                                          • Opcode Fuzzy Hash: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                          • Instruction Fuzzy Hash: 7E3139B26003529BE310EF74AC94F9BB7D8EB85340F904929FB09D3241EB75E919C7A5
                                                          APIs
                                                          • ??2@YAPAXI@Z.MSVCRT(?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000001), ref: 10028E9E
                                                          • strrchr.MSVCRT ref: 10028EC7
                                                          • RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 10028EE0
                                                          • ??2@YAPAXI@Z.MSVCRT ref: 10028F03
                                                          • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,80000004,00000000,00000000,00000000), ref: 10028F26
                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F34
                                                          • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F3E
                                                          • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000), ref: 10028F5B
                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F8A
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000), ref: 10028F97
                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F9E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
                                                          • String ID:
                                                          • API String ID: 1380196384-0
                                                          • Opcode ID: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                          • Instruction ID: 11253f6a850e8c32f07a3e9f8fa5c0c7ac66a22cffc6c79301f50e11ea2e9c0e
                                                          • Opcode Fuzzy Hash: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                          • Instruction Fuzzy Hash: 304126792003055BE344DA78EC45E2B77D9EFC2660F950A2DF915C3281EE75EE0983A2
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00520742,?,Microsoft Visual C++ Runtime Library,00012010,?,00787BEC,?,00787C3C,?,?,?,Runtime Error!Program: ), ref: 00527DD7
                                                          • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00527DEF
                                                          • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00527E00
                                                          • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00527E0D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$LibraryLoad
                                                          • String ID: <|x$GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                          • API String ID: 2238633743-3186960118
                                                          • Opcode ID: dd8fb78dc87cd0f9fdd0ea746719a4fea3ce36d6e49eb0b7f366b38e025da6ad
                                                          • Instruction ID: 5b8c3c4767c838c19427bf38254a1958ca389ac62e28f924e99d966b856f1dab
                                                          • Opcode Fuzzy Hash: dd8fb78dc87cd0f9fdd0ea746719a4fea3ce36d6e49eb0b7f366b38e025da6ad
                                                          • Instruction Fuzzy Hash: 4A015E71645255AECB11DFB5ACC09272EEDFFAD7A13014869B201C6161DAB8CC019BB1
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0052068B
                                                          • GetStdHandle.KERNEL32(000000F4,00787BEC,00000000,00000000,00000000,?), ref: 00520761
                                                          • WriteFile.KERNEL32(00000000), ref: 00520768
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: File$HandleModuleNameWrite
                                                          • String ID: ({z$...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                          • API String ID: 3784150691-2947446239
                                                          • Opcode ID: 2463d6ade435dffa992afbc774ae595a1231eb9f802a1e208bfc7da066585be9
                                                          • Instruction ID: 1328a34eb2dcfac31f39d53f2681c35b6756f59d20ec8648e161c07c70f8d84a
                                                          • Opcode Fuzzy Hash: 2463d6ade435dffa992afbc774ae595a1231eb9f802a1e208bfc7da066585be9
                                                          • Instruction Fuzzy Hash: 5431E5B26052296EDF24E760AD4AE9E7B7CFF86300F10045AF449D60C5D674EA81CB71
                                                          APIs
                                                          • LCMapStringW.KERNEL32(00000000,00000100,00787E7C,00000001,00000000,00000000,74DEE860,007E9E84,?,?,?,0051C2BD,?,?,?,00000000), ref: 00523B86
                                                          • LCMapStringA.KERNEL32(00000000,00000100,00787E78,00000001,00000000,00000000,?,?,0051C2BD,?,?,?,00000000,00000001), ref: 00523BA2
                                                          • LCMapStringA.KERNEL32(?,?,?,0051C2BD,?,?,74DEE860,007E9E84,?,?,?,0051C2BD,?,?,?,00000000), ref: 00523BEB
                                                          • MultiByteToWideChar.KERNEL32(?,007E9E85,?,0051C2BD,00000000,00000000,74DEE860,007E9E84,?,?,?,0051C2BD,?,?,?,00000000), ref: 00523C23
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,?,0051C2BD,?,00000000,?,?,0051C2BD,?), ref: 00523C7B
                                                          • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0051C2BD,?), ref: 00523C91
                                                          • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0051C2BD,?), ref: 00523CC4
                                                          • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0051C2BD,?), ref: 00523D2C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: String$ByteCharMultiWide
                                                          • String ID:
                                                          • API String ID: 352835431-0
                                                          • Opcode ID: 4ee7bf478979ccc9c32f2226d83bc93b9725fdfded56bc037ce536a2d805bac1
                                                          • Instruction ID: 3cb1facf91b1c214112377db9717e7e081f14cfb432493f4fdd114dbd991970e
                                                          • Opcode Fuzzy Hash: 4ee7bf478979ccc9c32f2226d83bc93b9725fdfded56bc037ce536a2d805bac1
                                                          • Instruction Fuzzy Hash: A5514C7190025DABCF228F94EC45AEE7FB5FF4AB50F204515F911B61A0D3398E60EB61
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %I64d$%lf
                                                          • API String ID: 0-1545097854
                                                          • Opcode ID: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                          • Instruction ID: a68653634a99df22c50c27c61c92b13d05d716d03379e836d9a088690611f418
                                                          • Opcode Fuzzy Hash: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                          • Instruction Fuzzy Hash: 0F516C7A5052424BD738D524BC85AEF73C4EBC0310FE08A2EFA59D21D1DE79DE458392
                                                          APIs
                                                          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0051A59F), ref: 00520072
                                                          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0051A59F), ref: 00520086
                                                          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0051A59F), ref: 005200B2
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0051A59F), ref: 005200EA
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0051A59F), ref: 0052010C
                                                          • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0051A59F), ref: 00520125
                                                          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0051A59F), ref: 00520138
                                                          • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00520176
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                          • String ID:
                                                          • API String ID: 1823725401-0
                                                          • Opcode ID: 0b58a65ea1eb9272d914f4aebea81e41d22bde07080277d0fb3a807c7867e809
                                                          • Instruction ID: 8c55c6a1e9c74896bcbcf005174bbbd014e5a0cdb9648edc1f3ecf55686f2b5a
                                                          • Opcode Fuzzy Hash: 0b58a65ea1eb9272d914f4aebea81e41d22bde07080277d0fb3a807c7867e809
                                                          • Instruction Fuzzy Hash: 3431C4725072756FE7217B74BC8883B7EACFE5A354B151A29F541C32C2E6218C90D2A1
                                                          APIs
                                                          • GetStringTypeW.KERNEL32(00000001,00787E7C,00000001,?,74DEE860,007E9E84,?,?,0051C2BD,?,?,?,00000000,00000001), ref: 00527357
                                                          • GetStringTypeA.KERNEL32(00000000,00000001,00787E78,00000001,?,?,0051C2BD,?,?,?,00000000,00000001), ref: 00527371
                                                          • GetStringTypeA.KERNEL32(?,?,?,?,0051C2BD,74DEE860,007E9E84,?,?,0051C2BD,?,?,?,00000000,00000001), ref: 005273A5
                                                          • MultiByteToWideChar.KERNEL32(?,007E9E85,?,?,00000000,00000000,74DEE860,007E9E84,?,?,0051C2BD,?,?,?,00000000,00000001), ref: 005273DD
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0051C2BD,?), ref: 00527433
                                                          • GetStringTypeW.KERNEL32(?,?,00000000,0051C2BD,?,?,?,?,?,?,0051C2BD,?), ref: 00527445
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: StringType$ByteCharMultiWide
                                                          • String ID:
                                                          • API String ID: 3852931651-0
                                                          • Opcode ID: fc6b4c80ab6d9abc5d6fdd481c69e9967c776c24ea331c70b51248247a52846c
                                                          • Instruction ID: e8e7cecb782fc17ebba40841d296784bfc2ff94690f2cbd78bbea2cf00d9f8aa
                                                          • Opcode Fuzzy Hash: fc6b4c80ab6d9abc5d6fdd481c69e9967c776c24ea331c70b51248247a52846c
                                                          • Instruction Fuzzy Hash: F0415A72604269AFCF11DF94EC85DEE3F79FF2A750F104925FA1196290D3348950ABA1
                                                          APIs
                                                          • TlsGetValue.KERNEL32(007E5BBC,007E5BAC,00000000,?,007E5BBC,?,005364C0,007E5BAC,00000000,?,00000000,00535ED7,005357C6,00535EF3,005312F7,0053259F), ref: 00536263
                                                          • EnterCriticalSection.KERNEL32(007E5BD8,00000010,?,007E5BBC,?,005364C0,007E5BAC,00000000,?,00000000,00535ED7,005357C6,00535EF3,005312F7,0053259F), ref: 005362B2
                                                          • LeaveCriticalSection.KERNEL32(007E5BD8,00000000,?,007E5BBC,?,005364C0,007E5BAC,00000000,?,00000000,00535ED7,005357C6,00535EF3,005312F7,0053259F), ref: 005362C5
                                                          • LocalAlloc.KERNEL32(00000000,00000004,?,007E5BBC,?,005364C0,007E5BAC,00000000,?,00000000,00535ED7,005357C6,00535EF3,005312F7,0053259F), ref: 005362DB
                                                          • LocalReAlloc.KERNEL32(?,00000004,00000002,?,007E5BBC,?,005364C0,007E5BAC,00000000,?,00000000,00535ED7,005357C6,00535EF3,005312F7,0053259F), ref: 005362ED
                                                          • TlsSetValue.KERNEL32(007E5BBC,00000000), ref: 00536329
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: AllocCriticalLocalSectionValue$EnterLeave
                                                          • String ID:
                                                          • API String ID: 4117633390-0
                                                          • Opcode ID: 4f5274784e88527fc3ad9bf3591c9a140dde17ef777d05684e1eee6e0ac5f88e
                                                          • Instruction ID: cff2b537bd400128be37a0a8e3b9ee00de74aa07e85daff9269e032699187626
                                                          • Opcode Fuzzy Hash: 4f5274784e88527fc3ad9bf3591c9a140dde17ef777d05684e1eee6e0ac5f88e
                                                          • Instruction Fuzzy Hash: 68315A75100606AFD724DF54D899E66BBF8FB85350F00C52DF41687650EB70E819CB61
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00536DAD
                                                            • Part of subcall function 00536E99: lstrlenA.KERNEL32(00000104,00000000,?,00536DDD), ref: 00536ED0
                                                          • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00536E4E
                                                          • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00536E7B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: FileModuleNamelstrcatlstrcpylstrlen
                                                          • String ID: .HLP$.INI
                                                          • API String ID: 2421895198-3011182340
                                                          • Opcode ID: 13e52bb3b9e210f075c9512619b16586b1d1e3c8b62c61aaf3b240d35f6cffa0
                                                          • Instruction ID: 877962b00d621f17fd0d9100fbaa84d6417a4b1ee5678dadb8208837ecbc9bf5
                                                          • Opcode Fuzzy Hash: 13e52bb3b9e210f075c9512619b16586b1d1e3c8b62c61aaf3b240d35f6cffa0
                                                          • Instruction Fuzzy Hash: 7C3161B6504719AFDB20EB70D889BC7BBFCBF08300F10496AE199D2151DB74AAC4DB60
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 492c8171bd9e49e3059a41a9689575ad30baeaea1f77ac32c052578dd1c86428
                                                          • Instruction ID: cdb9612aaf1e8ee0da3543c4e82bdf6317063e2398d8dfaa0dd144234c042c31
                                                          • Opcode Fuzzy Hash: 492c8171bd9e49e3059a41a9689575ad30baeaea1f77ac32c052578dd1c86428
                                                          • Instruction Fuzzy Hash: 17C1B3B19042129FC710DF24D88196BB7E8FF96318F04492EF95797351EB38E906CBA6
                                                          APIs
                                                          • GetStartupInfoA.KERNEL32(?), ref: 005201E7
                                                          • GetFileType.KERNEL32(?,?,00000000), ref: 00520292
                                                          • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 005202F5
                                                          • GetFileType.KERNEL32(00000000,?,00000000), ref: 00520303
                                                          • SetHandleCount.KERNEL32 ref: 0052033A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: FileHandleType$CountInfoStartup
                                                          • String ID:
                                                          • API String ID: 1710529072-0
                                                          • Opcode ID: 61ef1fefad16dc3c81f17f3435dfce1a575a34b9670d474c0f2521b0bdd6bf7a
                                                          • Instruction ID: e74ee9ca71d2faffc0e15ee745fae3fbcffc5e2ba4e9d0ad4966c6ba7992b814
                                                          • Opcode Fuzzy Hash: 61ef1fefad16dc3c81f17f3435dfce1a575a34b9670d474c0f2521b0bdd6bf7a
                                                          • Instruction Fuzzy Hash: A2512776502261CFDB20CB68E88C7697FE0FF16324F289A29D292DB2E2D7309805C751
                                                          APIs
                                                          • GetLastError.KERNEL32(00000103,7FFFFFFF,0051C8B2,0051F1C7,00000000,?,?,00000000,00000001), ref: 005203AE
                                                          • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 005203BC
                                                          • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00520408
                                                            • Part of subcall function 0051CCA6: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,005203D1,00000001,00000074,?,?,00000000,00000001), ref: 0051CD9C
                                                          • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 005203E0
                                                          • GetCurrentThreadId.KERNEL32 ref: 005203F1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                          • String ID:
                                                          • API String ID: 2020098873-0
                                                          • Opcode ID: 3e1561b0d60df2ba709d0f1f7ee21b2c7e604de6615f5a0fed07d3b4cddb9e78
                                                          • Instruction ID: 934b10d7a9e11476fda2d98b13fb906a35a6111a38e5fa7ed2e9ef619017d264
                                                          • Opcode Fuzzy Hash: 3e1561b0d60df2ba709d0f1f7ee21b2c7e604de6615f5a0fed07d3b4cddb9e78
                                                          • Instruction Fuzzy Hash: 95F02B366022229FDB352B70BC0D95A7E31FF92771B108919F941D63E1CF308C4296B1
                                                          APIs
                                                          • EnterCriticalSection.KERNEL32(007E5D70,?,00000000,?,?,00536506,00000010,?,00000000,?,?,?,00535EED,00535F50,005357C6,00535EF3), ref: 005371D0
                                                          • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00536506,00000010,?,00000000,?,?,?,00535EED,00535F50,005357C6,00535EF3), ref: 005371E2
                                                          • LeaveCriticalSection.KERNEL32(007E5D70,?,00000000,?,?,00536506,00000010,?,00000000,?,?,?,00535EED,00535F50,005357C6,00535EF3), ref: 005371EB
                                                          • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00536506,00000010,?,00000000,?,?,?,00535EED,00535F50,005357C6,00535EF3,005312F7), ref: 005371FD
                                                            • Part of subcall function 00537102: GetVersion.KERNEL32(?,005371A5,?,00536506,00000010,?,00000000,?,?,?,00535EED,00535F50,005357C6,00535EF3,005312F7,0053259F), ref: 00537115
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$Enter$InitializeLeaveVersion
                                                          • String ID: p]~
                                                          • API String ID: 1193629340-320392800
                                                          • Opcode ID: 9ea5a6949c09d744af9e703b255057b375412993c03607b6b785b3b6a8fa56c6
                                                          • Instruction ID: 4e4372c2b8762f1ed0aaecc06bf45f32413e2340a6e9bdf592007e74f63ed9db
                                                          • Opcode Fuzzy Hash: 9ea5a6949c09d744af9e703b255057b375412993c03607b6b785b3b6a8fa56c6
                                                          • Instruction Fuzzy Hash: 4CF04FBA50665EDFCB20DFA4FCC8956B77DFB2C31AB404426F60586021D734E455CA68
                                                          APIs
                                                          • wsprintfA.USER32 ref: 10027B78
                                                          • MessageBoxA.USER32(00000000,?,error,00000010), ref: 10027B8F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Messagewsprintf
                                                          • String ID: error$program internal error number is %d. %s
                                                          • API String ID: 300413163-3752934751
                                                          • Opcode ID: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                          • Instruction ID: e1549d366f44cd83cf328da68a9c66535f66093051f9031b2c984319b6cde580
                                                          • Opcode Fuzzy Hash: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                          • Instruction Fuzzy Hash: B9E092755002006BE344EBA4ECAAFAA33A8E708701FC0085EF34981180EBB1A9548616
                                                          APIs
                                                          • HeapAlloc.KERNEL32(00000000,00002020,007A81D0,007A81D0,?,?,00524E68,00000000,00000010,00000000,00000009,00000009,?,0051BEF1,00000010,00000000), ref: 005249BD
                                                          • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00524E68,00000000,00000010,00000000,00000009,00000009,?,0051BEF1,00000010,00000000), ref: 005249E1
                                                          • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00524E68,00000000,00000010,00000000,00000009,00000009,?,0051BEF1,00000010,00000000), ref: 005249FB
                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00524E68,00000000,00000010,00000000,00000009,00000009,?,0051BEF1,00000010,00000000,?), ref: 00524ABC
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00524E68,00000000,00000010,00000000,00000009,00000009,?,0051BEF1,00000010,00000000,?,00000000), ref: 00524AD3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual$FreeHeap
                                                          • String ID:
                                                          • API String ID: 714016831-0
                                                          • Opcode ID: 4d5795f96e935a14ec4f40d6458586451b341b0902c93f6c1ff3425f409d2d18
                                                          • Instruction ID: 68db858c95cfd1a549588c7097b8e0c7abcff402196b57f1dd8bfb6505046ab8
                                                          • Opcode Fuzzy Hash: 4d5795f96e935a14ec4f40d6458586451b341b0902c93f6c1ff3425f409d2d18
                                                          • Instruction Fuzzy Hash: 5A312071A817159BD320CF28FC44B22BAE5FB86750F108639E5559B2D0EB78A8408F59
                                                          APIs
                                                          • malloc.MSVCRT ref: 10029FB3
                                                          • LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,?,?,000009DC,00000000,?,10028774,00000001,?), ref: 10029FE7
                                                          • free.MSVCRT ref: 10029FF6
                                                          • free.MSVCRT ref: 1002A014
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: free$Stringmalloc
                                                          • String ID:
                                                          • API String ID: 3576809655-0
                                                          • Opcode ID: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                          • Instruction ID: fe1f6c240ce4a888f48c4ee73cb5f64fbc811d22bf13276520b53d25543597c8
                                                          • Opcode Fuzzy Hash: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                          • Instruction Fuzzy Hash: 2311D27A2042042BD348DA78AC45E7BB3D9DBC5265FA0463EF226D22C1EE71ED094365
                                                          APIs
                                                          • GetVersion.KERNEL32 ref: 0051A52F
                                                            • Part of subcall function 00520588: HeapCreate.KERNEL32(00000000,00001000,00000000,0051A567,00000001), ref: 00520599
                                                            • Part of subcall function 00520588: HeapDestroy.KERNEL32 ref: 005205D8
                                                          • GetCommandLineA.KERNEL32 ref: 0051A58F
                                                          • GetStartupInfoA.KERNEL32(?), ref: 0051A5BA
                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0051A5DD
                                                            • Part of subcall function 0051A636: ExitProcess.KERNEL32 ref: 0051A653
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                          • String ID:
                                                          • API String ID: 2057626494-0
                                                          • Opcode ID: 5ed8fc3c02823a4202ba596287148609586901291b66cf97aa2b2d9f2f2980d9
                                                          • Instruction ID: 87813a256b5383736a28975fa4f3c478383fe933baf9cb57af6a6e245495cad0
                                                          • Opcode Fuzzy Hash: 5ed8fc3c02823a4202ba596287148609586901291b66cf97aa2b2d9f2f2980d9
                                                          • Instruction Fuzzy Hash: D521E4B0C0578A9FEB04ABB0EC4EAAD7FB8FF45704F104129F9019A2D1DB388880C761
                                                          APIs
                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000020,00000000,00000000,00000000,80000005), ref: 10028DC8
                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9), ref: 10028E07
                                                          • CloseHandle.KERNEL32(00000000,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E1A
                                                          • CloseHandle.KERNEL32(00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E35
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2930629418.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: CloseFileHandle$CreateWrite
                                                          • String ID:
                                                          • API String ID: 3602564925-0
                                                          • Opcode ID: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                          • Instruction ID: f6076fed0b983a52129b8cb4bf2c1cdfe7202da6017c1e667b93af5c44e6f27f
                                                          • Opcode Fuzzy Hash: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                          • Instruction Fuzzy Hash: 39118E36201301ABE710DF18ECC5F6BB7E8FB84714F550919FA6497290D370E90E8B66
                                                          APIs
                                                          • GetCPInfo.KERNEL32(?,00000000), ref: 0051F713
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: Info
                                                          • String ID: $
                                                          • API String ID: 1807457897-3032137957
                                                          • Opcode ID: 041f14e6359c40e110e6e9075aad687c66ad8b4cebb70bc142e2e03c45334d30
                                                          • Instruction ID: ab07f19c13149a0ef12433ada24027e58874ef0d0aa273af1aa89430f7862ca0
                                                          • Opcode Fuzzy Hash: 041f14e6359c40e110e6e9075aad687c66ad8b4cebb70bc142e2e03c45334d30
                                                          • Instruction Fuzzy Hash: 2C4149320052A87AFB11DB14DD99FEA7FA8FB1A700F1445F5D646CB192C2394A84DBA3
                                                          APIs
                                                            • Part of subcall function 0051D44C: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0051A5E9,00000000), ref: 0051D47A
                                                          • __EH_prolog.LIBCMT ref: 0052A63B
                                                          • lstrcpynA.KERNEL32(?,?,00000104), ref: 0052A728
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExceptionH_prologRaiselstrcpyn
                                                          • String ID: 0@~
                                                          • API String ID: 2915105959-2632855484
                                                          • Opcode ID: a2d5e0684046290b5e10c32e4955e4884d10c38e17d83f1a7c7010f4d86870d7
                                                          • Instruction ID: 2e9c89a60c701ad596b26f60d460b35a3198e5839f2904d9daf61cedbdea8777
                                                          • Opcode Fuzzy Hash: a2d5e0684046290b5e10c32e4955e4884d10c38e17d83f1a7c7010f4d86870d7
                                                          • Instruction Fuzzy Hash: B54157B0600705AFD711DF68D885B9BBFF4FF45304F04482EE59A97282D7B4A944CB66
                                                          APIs
                                                          • HeapReAlloc.KERNEL32(00000000,?,00000000,00000000,005242C2,00000000,00000000,00000000,0051BE93,00000000,00000000,?,00000000,00000000,00000000), ref: 00524522
                                                          • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,005242C2,00000000,00000000,00000000,0051BE93,00000000,00000000,?,00000000,00000000,00000000), ref: 00524556
                                                          • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00524570
                                                          • HeapFree.KERNEL32(00000000,?), ref: 00524587
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: AllocHeap$FreeVirtual
                                                          • String ID:
                                                          • API String ID: 3499195154-0
                                                          • Opcode ID: da57bcf1bcf626effddd66c01784a3daed996f173d47f026efeb532fbfe14ffe
                                                          • Instruction ID: 1ee8ee885daa6e84748a58175d0edf56f79c686e77a936ca95c84200b46b91e7
                                                          • Opcode Fuzzy Hash: da57bcf1bcf626effddd66c01784a3daed996f173d47f026efeb532fbfe14ffe
                                                          • Instruction Fuzzy Hash: 361158332013819FC720CF28FC859A2BBB5FB897247148A19F3A6CA2B0D3B59845DF54
                                                          APIs
                                                          • InitializeCriticalSection.KERNEL32(?,0052034B,?,0051A579), ref: 00522C28
                                                          • InitializeCriticalSection.KERNEL32(?,0052034B,?,0051A579), ref: 00522C30
                                                          • InitializeCriticalSection.KERNEL32(?,0052034B,?,0051A579), ref: 00522C38
                                                          • InitializeCriticalSection.KERNEL32(?,0052034B,?,0051A579), ref: 00522C40
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2928106864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2928090184.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928201264.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928396374.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928414328.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928434345.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928455581.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928475177.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928493523.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928515843.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007B7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928534285.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2928633154.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: CriticalInitializeSection
                                                          • String ID:
                                                          • API String ID: 32694325-0
                                                          • Opcode ID: 897d6151f6e29b4ead05583e689f077f6d00e6372729029d2dd993c98794d7a6
                                                          • Instruction ID: f19e875aee3abb21faea54addff1ce771f2f99497a523bd9a06963582b441486
                                                          • Opcode Fuzzy Hash: 897d6151f6e29b4ead05583e689f077f6d00e6372729029d2dd993c98794d7a6
                                                          • Instruction Fuzzy Hash: A7C0023180D038AECA166B55FD0585A3F75EB8B26130184E3B1045213086651D12EFD4

                                                          Execution Graph

                                                          Execution Coverage:7.4%
                                                          Dynamic/Decrypted Code Coverage:59.3%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:578
                                                          Total number of Limit Nodes:25
                                                          execution_graph 22674 10027008 6 API calls 22675 10027c08 HeapReAlloc HeapAlloc 22676 10029610 FreeLibrary 22737 10026f15 21 API calls 22679 10027218 31 API calls 22680 4b5250 HeapFree 22681 10026c1e 22 API calls 22682 1001221f 72 API calls 22740 51d374 RtlUnwind 22685 4ac460 67 API calls 22616 4b4c60 22619 4b4c40 22616->22619 22622 4ac9a0 22619->22622 22621 4b4c51 22623 4ac9cb 22622->22623 22624 4aca63 22622->22624 22625 4ac9ea 22623->22625 22629 4ac9f3 GetProcAddress 22623->22629 22630 4aca91 22624->22630 22655 4acc46 22624->22655 22667 51b198 6 API calls 22624->22667 22665 51b198 6 API calls 22625->22665 22635 4aca13 22629->22635 22636 4acbcf 22630->22636 22638 4acabc 22630->22638 22632 4acbd4 LoadLibraryA 22634 4acbe4 GetProcAddress 22632->22634 22632->22636 22633 4aca4d 22633->22621 22634->22636 22666 4ac980 35 API calls 22635->22666 22636->22632 22639 4acc2a 22636->22639 22640 4acc16 FreeLibrary 22636->22640 22637 4acb9a LoadLibraryA 22637->22639 22643 4acba7 GetProcAddress 22637->22643 22638->22637 22641 4acae8 22638->22641 22642 4acb10 22638->22642 22646 4acc3f FreeLibrary 22639->22646 22639->22655 22640->22636 22645 52c7fd 32 API calls 22641->22645 22659 52c7fd 22642->22659 22643->22639 22644 4acbb7 22643->22644 22644->22639 22649 4acaf4 LoadLibraryA 22645->22649 22646->22655 22648 4acb26 22650 52c7fd 32 API calls 22648->22650 22651 4acb04 22649->22651 22652 4acb3a LoadLibraryA 22650->22652 22651->22642 22651->22643 22653 4acb4a 22652->22653 22653->22643 22654 4acb92 22653->22654 22656 52c7fd 32 API calls 22653->22656 22654->22637 22654->22643 22655->22621 22657 4acb82 LoadLibraryA 22656->22657 22658 52c5b4 22657->22658 22658->22654 22660 52c807 __EH_prolog 22659->22660 22661 52c826 lstrlenA 22660->22661 22662 52c822 22660->22662 22661->22662 22668 52c759 22662->22668 22664 52c844 22664->22648 22665->22629 22666->22633 22667->22630 22669 52c76d 22668->22669 22671 52c773 22668->22671 22670 52c421 31 API calls 22669->22670 22670->22671 22671->22664 22686 4b6a60 GetDeviceCaps MulDiv ReleaseDC 22687 10026e2e 35 API calls 22743 10026f34 35 API calls 22744 10026d35 86 API calls 22690 100249fb 25 API calls 22691 10026c3d 21 API calls 22021 10027c40 22022 10027c86 22021->22022 22023 10027c4d 22021->22023 22024 10027c56 22023->22024 22025 10027c5b 22023->22025 22029 10027ae0 GetModuleHandleA 22024->22029 22025->22022 22027 10027c6b IsBadReadPtr 22025->22027 22027->22022 22028 10027c78 RtlFreeHeap 22027->22028 22028->22022 22029->22025 22693 4b5000 10 API calls 22030 10027a50 22031 10027a61 22030->22031 22032 10027a8a 22030->22032 22031->22032 22033 10027a64 22031->22033 22048 10026b52 ReleaseMutex NtClose 22032->22048 22042 10027aa0 GetProcessHeap 22033->22042 22036 10027a9b 22041 10027a85 22043 10027a6f 22042->22043 22044 10029790 22043->22044 22049 10027474 22044->22049 22047 10026b52 ReleaseMutex NtClose 22047->22041 22048->22036 22050 1002747c 22049->22050 22053 10018a96 22050->22053 22052 10027481 22052->22047 22054 10018aab 22053->22054 22057 10018ad3 22054->22057 22056 10018ab0 22056->22052 22058 10018aee 22057->22058 22104 10018eea CreateMutexA 22058->22104 22060 10018af3 22061 10018eea CreateMutexA 22060->22061 22062 10018afd HeapCreate 22061->22062 22063 10018b3a HeapCreate 22062->22063 22064 10018b23 22062->22064 22065 10018b60 22063->22065 22064->22063 22106 1000188f 22065->22106 22067 10018bc0 22112 1000b61e 22067->22112 22069 10018bdc 22070 1000188f 17 API calls 22069->22070 22071 10018c3b 22070->22071 22072 1000b61e 7 API calls 22071->22072 22073 10018c57 22072->22073 22074 1000188f 17 API calls 22073->22074 22075 10018cb6 22074->22075 22076 1000b61e 7 API calls 22075->22076 22077 10018cd2 22076->22077 22078 1000188f 17 API calls 22077->22078 22079 10018d31 22078->22079 22080 1000b61e 7 API calls 22079->22080 22081 10018d4d 22080->22081 22082 1000188f 17 API calls 22081->22082 22083 10018dac 22082->22083 22084 1000b61e 7 API calls 22083->22084 22085 10018dc8 22084->22085 22118 1000710e 22085->22118 22087 10018df2 22128 10018f34 22087->22128 22089 10018dfc 22142 100191e3 22089->22142 22091 10018e06 22154 1000ff10 22091->22154 22093 10018e37 22163 100114f9 22093->22163 22095 10018e43 22096 1000ff10 18 API calls 22095->22096 22097 10018e8f 22096->22097 22098 100114f9 18 API calls 22097->22098 22099 10018e9b 22098->22099 22169 10019f4c 22099->22169 22103 10018ecc 22103->22056 22105 10018f14 22104->22105 22105->22060 22111 100018bd 22106->22111 22107 10001ac2 22180 100283f0 22107->22180 22110 10001ae8 22110->22067 22111->22107 22207 10028090 _CIfmod 22111->22207 22113 1000b631 22112->22113 22219 1000b75c 22113->22219 22115 1000b65c 22116 1000b6cb LdrGetDllHandleEx 22115->22116 22117 1000b6ee 22116->22117 22117->22069 22119 10007121 22118->22119 22120 100071de GetVersionExA 22119->22120 22121 10007273 22120->22121 22242 10027ca0 22121->22242 22123 100072d2 22124 10007362 GetSystemInfo 22123->22124 22127 100074c6 22123->22127 22125 100073f5 22124->22125 22126 10007495 RtlGetNtVersionNumbers 22125->22126 22126->22127 22127->22087 22129 10018f4e 22128->22129 22131 10018f7e 22129->22131 22250 100289c0 22129->22250 22131->22089 22132 10018fad 22133 1000b61e 7 API calls 22132->22133 22134 10019053 22133->22134 22135 1000188f 17 API calls 22134->22135 22136 10019077 22135->22136 22137 10019081 22136->22137 22255 10006051 LdrGetProcedureAddress 22137->22255 22139 1001918a 22139->22131 22140 100190a4 22140->22139 22256 10001d56 IsBadCodePtr 22140->22256 22143 10019205 22142->22143 22145 10019212 22143->22145 22258 100188e1 22143->22258 22145->22091 22146 10019221 22263 100193c2 22146->22263 22148 100192bd 22149 100193c2 38 API calls 22148->22149 22150 10019331 22149->22150 22283 100198cc 25 API calls 22150->22283 22152 1001936a 22284 100198cc 25 API calls 22152->22284 22306 10027f20 22154->22306 22156 1000ff39 22157 10027f20 4 API calls 22156->22157 22158 1000ff58 22157->22158 22159 1000ffe0 RtlComputeCrc32 22158->22159 22160 10010003 22159->22160 22319 10010057 22160->22319 22162 10010034 22162->22093 22164 1001150f 22163->22164 22168 10011520 22163->22168 22165 1000188f 17 API calls 22164->22165 22165->22168 22166 10001d56 IsBadCodePtr 22167 1001161a 22166->22167 22167->22095 22168->22166 22170 10018ec7 22169->22170 22171 10019f74 22169->22171 22179 1001a236 47 API calls 22170->22179 22342 10019ff3 22171->22342 22175 10019fd3 22351 10007fdd 22175->22351 22177 10019fa2 22177->22175 22178 1001a0ce 21 API calls 22177->22178 22178->22177 22179->22103 22181 10028478 22180->22181 22190 1002840f 22180->22190 22182 10028483 22181->22182 22183 10028574 22181->22183 22184 10028489 22182->22184 22185 1002854f sprintf 22182->22185 22186 100285f2 22183->22186 22187 1002857b 22183->22187 22193 10028517 22184->22193 22194 100284f9 22184->22194 22195 1002858f sprintf 22184->22195 22204 1002849e 22184->22204 22206 10028674 22184->22206 22185->22204 22191 1002862a sprintf 22186->22191 22192 100285f9 22186->22192 22188 100285ce sprintf 22187->22188 22189 1002857d 22187->22189 22188->22204 22196 10028584 22189->22196 22197 100285ae sprintf 22189->22197 22190->22206 22208 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22190->22208 22191->22204 22198 10028604 sprintf 22192->22198 22192->22206 22210 10029dc0 6 API calls 22193->22210 22209 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22194->22209 22195->22204 22196->22195 22196->22206 22197->22204 22198->22204 22202 10028469 22202->22110 22203 10028508 22203->22110 22204->22206 22211 10027bb0 22204->22211 22206->22110 22207->22111 22208->22202 22209->22203 22210->22204 22212 10027bc4 RtlAllocateHeap 22211->22212 22213 10027bb9 GetProcessHeap 22211->22213 22214 10027bf5 22212->22214 22215 10027bd9 MessageBoxA 22212->22215 22213->22212 22214->22206 22218 10027b10 ExitProcess 22215->22218 22217 10027bf2 22217->22214 22218->22217 22220 1000b76f 22219->22220 22223 1000210d 22220->22223 22222 1000b7c1 22222->22115 22224 1000212e 22223->22224 22225 10002149 MultiByteToWideChar 22224->22225 22226 10002178 22225->22226 22231 100021b9 22226->22231 22235 100280c0 22226->22235 22228 100021dc 22229 1000220e MultiByteToWideChar 22228->22229 22230 10002239 22229->22230 22230->22231 22240 100286c0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22230->22240 22231->22222 22233 100022ce 22233->22231 22241 100286f0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22233->22241 22236 100280c9 22235->22236 22237 100280cd 22235->22237 22236->22228 22238 10027bb0 4 API calls 22237->22238 22239 100280d6 22238->22239 22239->22228 22240->22233 22241->22231 22243 10027cb1 22242->22243 22246 10027cb6 22242->22246 22249 10027ae0 GetModuleHandleA 22243->22249 22245 10027d14 22245->22123 22246->22245 22247 10027bb0 4 API calls 22246->22247 22248 10027cf9 22247->22248 22248->22123 22249->22246 22251 100289c9 22250->22251 22252 100289cd 22250->22252 22251->22132 22253 10027bb0 4 API calls 22252->22253 22254 100289d8 22253->22254 22254->22132 22255->22140 22257 10001d82 22256->22257 22257->22139 22259 100289c0 4 API calls 22258->22259 22260 1001890c 22259->22260 22261 10018926 GetSystemDirectoryA 22260->22261 22262 10018944 22261->22262 22262->22146 22264 100193ea 22263->22264 22285 100294c0 22264->22285 22266 10019463 22267 1001947d CopyFileA 22266->22267 22268 100194a0 22267->22268 22292 10028d40 CreateFileA 22268->22292 22270 100194da 22271 10028d40 8 API calls 22270->22271 22272 10019550 22270->22272 22271->22272 22297 10028e50 DeleteFileA 22272->22297 22274 1001959d 22298 10006495 22274->22298 22276 100195b3 22277 100195e3 RtlAllocateHeap 22276->22277 22280 10019832 22276->22280 22278 1001960e 22277->22278 22304 10008edd 26 API calls 22278->22304 22280->22148 22282 1001966e 22305 100094fb 26 API calls 22282->22305 22283->22152 22284->22145 22286 100294d1 GetTempPathA 22285->22286 22287 100294e5 22285->22287 22286->22287 22288 10029543 GetTickCount wsprintfA PathFileExistsA 22287->22288 22288->22288 22289 1002956b 22288->22289 22290 10027bb0 4 API calls 22289->22290 22291 1002957f 22290->22291 22291->22266 22293 10028d64 GetFileSize 22292->22293 22294 10028da9 22292->22294 22295 10027bb0 4 API calls 22293->22295 22294->22270 22296 10028d7d ReadFile CloseHandle 22295->22296 22296->22294 22297->22274 22299 100064ad 22298->22299 22300 1000652f RtlMoveMemory 22299->22300 22303 1000679e 22299->22303 22301 10006669 22300->22301 22302 10027ca0 5 API calls 22301->22302 22302->22303 22303->22276 22304->22282 22305->22280 22307 10027f40 22306->22307 22309 10027f80 22307->22309 22310 10027f4c 22307->22310 22308 10027feb 22308->22156 22309->22308 22311 10027fc2 22309->22311 22312 10027f9b 22309->22312 22327 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22310->22327 22329 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22311->22329 22328 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22312->22328 22315 10027f76 22315->22156 22316 10027fb8 22316->22156 22318 10027fe1 22318->22156 22320 1001006f 22319->22320 22321 100283f0 16 API calls 22320->22321 22322 10010097 22321->22322 22330 10028ad0 22322->22330 22324 100100cc 22337 10028b30 22324->22337 22326 10010173 22326->22162 22327->22315 22328->22316 22329->22318 22331 10028b23 22330->22331 22332 10028ae4 22330->22332 22331->22324 22332->22331 22333 10027bb0 4 API calls 22332->22333 22334 10028afa 22333->22334 22335 10028b05 strncpy 22334->22335 22336 10028b19 22334->22336 22335->22335 22335->22336 22336->22324 22338 10028b91 22337->22338 22339 10028b45 22337->22339 22338->22326 22339->22338 22340 10027bb0 4 API calls 22339->22340 22341 10028b68 22340->22341 22341->22326 22343 1001a00d 22342->22343 22358 1001a031 22343->22358 22346 1001a0ce 22347 10027f20 4 API calls 22346->22347 22348 1001a0f7 22347->22348 22373 1001a199 22348->22373 22350 1001a16d 22350->22177 22352 100280c0 4 API calls 22351->22352 22353 1000800f 22352->22353 22384 10007db8 22353->22384 22356 10008069 NtClose 22357 1000807e 22356->22357 22357->22170 22359 1001a047 22358->22359 22367 1001a0a1 22358->22367 22360 1000188f 17 API calls 22359->22360 22362 1001a058 22360->22362 22372 100031b3 6 API calls 22362->22372 22363 10019f88 22363->22170 22363->22346 22365 1001a087 InterlockedExchange 22365->22367 22366 1001a074 22366->22365 22368 10004b1b 22367->22368 22369 10004b3d 22368->22369 22370 10004b2e 22368->22370 22369->22370 22371 10004baa LdrInitializeThunk 22369->22371 22370->22363 22371->22363 22372->22366 22374 1001a1af 22373->22374 22382 1001a209 22373->22382 22376 1000188f 17 API calls 22374->22376 22375 10004b1b LdrInitializeThunk 22377 1001a22b 22375->22377 22378 1001a1c0 22376->22378 22377->22350 22383 100031b3 6 API calls 22378->22383 22380 1001a1ef InterlockedExchange 22380->22382 22381 1001a1dc 22381->22380 22382->22375 22383->22381 22385 10007dce 22384->22385 22386 10007e28 22384->22386 22387 1000188f 17 API calls 22385->22387 22388 10004b1b LdrInitializeThunk 22386->22388 22389 10007ddf 22387->22389 22390 10007e4a 22388->22390 22394 100031b3 6 API calls 22389->22394 22390->22356 22390->22357 22392 10007dfb 22393 10007e0e InterlockedExchange 22392->22393 22393->22386 22394->22392 22696 10027050 63 API calls 22749 10011753 DispatchMessageA CallWindowProcA 22395 51be07 22398 51be19 22395->22398 22399 51be16 22398->22399 22401 51be20 22398->22401 22401->22399 22402 51be45 22401->22402 22403 51be72 22402->22403 22405 51beb5 22402->22405 22409 51bea0 22403->22409 22420 522c44 29 API calls 22403->22420 22405->22409 22410 51bed7 22405->22410 22406 51be88 22421 5241f1 HeapReAlloc HeapAlloc VirtualAlloc HeapFree VirtualAlloc 22406->22421 22407 51bf24 RtlAllocateHeap 22408 51bea7 22407->22408 22408->22401 22409->22407 22409->22408 22423 522c44 29 API calls 22410->22423 22413 51be93 22422 51beac LeaveCriticalSection 22413->22422 22414 51bede 22424 524c94 6 API calls 22414->22424 22417 51bef1 22425 51bf0b LeaveCriticalSection 22417->22425 22419 51befe 22419->22408 22419->22409 22420->22406 22421->22413 22422->22409 22423->22414 22424->22417 22425->22419 22426 51a509 GetVersion 22458 520588 HeapCreate 22426->22458 22428 51a567 22429 51a574 22428->22429 22430 51a56c 22428->22430 22470 520345 37 API calls 22429->22470 22478 51a636 8 API calls 22430->22478 22434 51a579 22435 51a585 22434->22435 22436 51a57d 22434->22436 22471 520189 34 API calls 22435->22471 22479 51a636 8 API calls 22436->22479 22440 51a58f GetCommandLineA 22472 520057 37 API calls 22440->22472 22442 51a59f 22480 51fe0a 49 API calls 22442->22480 22444 51a5a9 22473 51fd51 48 API calls 22444->22473 22446 51a5ae 22447 51a5b3 GetStartupInfoA 22446->22447 22474 51fcf9 48 API calls 22447->22474 22449 51a5c5 22450 51a5ce 22449->22450 22451 51a5d7 GetModuleHandleA 22450->22451 22475 529e6e 22451->22475 22455 51a5f2 22482 51fb81 36 API calls 22455->22482 22457 51a603 22459 5205a8 22458->22459 22460 5205de 22458->22460 22483 520440 57 API calls 22459->22483 22460->22428 22462 5205ad 22463 5205b7 22462->22463 22464 5205c4 22462->22464 22484 523e55 HeapAlloc 22463->22484 22466 5205e1 22464->22466 22485 52499c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 22464->22485 22466->22428 22467 5205c1 22467->22466 22469 5205d2 HeapDestroy 22467->22469 22469->22460 22470->22434 22471->22440 22472->22442 22473->22446 22474->22449 22486 532594 22475->22486 22480->22444 22481 51ecb4 32 API calls 22481->22455 22482->22457 22483->22462 22484->22467 22485->22467 22497 5312f2 22486->22497 22494 51a5e9 22494->22481 22495 5325db 22525 537540 68 API calls 22495->22525 22526 535eee 22497->22526 22500 531303 22502 535ec8 22500->22502 22501 535ec8 65 API calls 22501->22500 22503 536450 65 API calls 22502->22503 22504 535ed7 22503->22504 22505 5325a6 22504->22505 22555 5364e5 22504->22555 22507 536d19 SetErrorMode SetErrorMode 22505->22507 22508 535ec8 65 API calls 22507->22508 22509 536d30 22508->22509 22510 535ec8 65 API calls 22509->22510 22511 536d3f 22510->22511 22512 536d65 22511->22512 22563 536d7c 22511->22563 22514 535ec8 65 API calls 22512->22514 22515 536d6a 22514->22515 22516 5325be 22515->22516 22582 531307 22515->22582 22516->22495 22518 52c421 22516->22518 22521 52c436 22518->22521 22522 52c42d 22518->22522 22519 52c43e 22606 51a38d 22519->22606 22521->22519 22523 52c47d 22521->22523 22522->22495 22613 52c2f5 29 API calls 22523->22613 22525->22494 22527 535ec8 65 API calls 22526->22527 22528 535ef3 22527->22528 22531 536450 22528->22531 22532 536486 TlsGetValue 22531->22532 22533 536459 22531->22533 22535 536499 22532->22535 22534 536473 22533->22534 22552 536050 65 API calls 22533->22552 22542 5360e9 EnterCriticalSection 22534->22542 22537 5312f7 22535->22537 22538 5364ac 22535->22538 22537->22500 22537->22501 22553 536258 65 API calls 22538->22553 22540 536484 22540->22532 22543 536108 22542->22543 22544 536142 GlobalAlloc 22543->22544 22545 536155 GlobalHandle GlobalUnlock GlobalReAlloc 22543->22545 22546 5361c4 22543->22546 22548 536177 22544->22548 22545->22548 22547 5361d9 LeaveCriticalSection 22546->22547 22547->22540 22549 5361a0 GlobalLock 22548->22549 22550 536185 GlobalHandle GlobalLock LeaveCriticalSection 22548->22550 22549->22546 22554 52a604 65 API calls __EH_prolog 22550->22554 22552->22534 22553->22537 22554->22549 22556 5364ef __EH_prolog 22555->22556 22557 53651d 22556->22557 22561 537195 6 API calls 22556->22561 22557->22505 22559 536506 22562 537205 LeaveCriticalSection 22559->22562 22561->22559 22562->22557 22564 535ec8 65 API calls 22563->22564 22565 536d8f GetModuleFileNameA 22564->22565 22593 51c4d7 29 API calls 22565->22593 22567 536dc1 22594 536e99 lstrlenA lstrcpynA 22567->22594 22569 536ddd 22570 536df3 22569->22570 22599 51ec5c 29 API calls 22569->22599 22581 536e2d 22570->22581 22595 531e7a 22570->22595 22573 536e60 22575 536e8d 22573->22575 22576 536e6f lstrcatA 22573->22576 22574 536e45 lstrcpyA 22601 51ec5c 29 API calls 22574->22601 22575->22512 22602 51ec5c 29 API calls 22576->22602 22581->22573 22581->22574 22583 535ec8 65 API calls 22582->22583 22584 53130c 22583->22584 22592 531364 22584->22592 22603 535c96 22584->22603 22587 5364e5 7 API calls 22588 531342 22587->22588 22589 535ec8 65 API calls 22588->22589 22591 53134f 22588->22591 22589->22591 22590 536450 65 API calls 22590->22592 22591->22590 22592->22516 22593->22567 22594->22569 22596 535ec8 65 API calls 22595->22596 22597 531e80 LoadStringA 22596->22597 22598 531e9b 22597->22598 22600 51ec5c 29 API calls 22598->22600 22599->22570 22600->22581 22601->22573 22602->22575 22604 536450 65 API calls 22603->22604 22605 531318 GetCurrentThreadId SetWindowsHookExA 22604->22605 22605->22587 22614 51dd74 22606->22614 22608 51a397 EnterCriticalSection 22609 51a3b5 22608->22609 22610 51a3e6 LeaveCriticalSection 22608->22610 22615 52bdde 29 API calls 22609->22615 22610->22522 22612 51a3c7 22612->22610 22613->22522 22614->22608 22615->22612 22700 1002706f 46 API calls 22758 10026d73 89 API calls 22759 10026b71 23 API calls 22761 1002572d 24 API calls 22702 10026c7b HeapAlloc 22763 10026f7c 45 API calls 22705 1002708e 34 API calls 22767 10027192 60 API calls 22707 51ecc5 32 API calls 22770 5357c6 65 API calls __EH_prolog 22771 10026f9b 23 API calls 22709 10026e99 90 API calls 22712 100274b1 10 API calls 22714 1002a472 __CxxFrameHandler 22715 10026eb8 91 API calls 22716 10026cb9 23 API calls 22719 1001a595 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22778 10026dc5 31 API calls 22781 10026bd6 25 API calls 22722 100270d8 28 API calls 22723 10026cd8 22 API calls 22784 10026de4 85 API calls 21986 52c4a3 21987 52c4b7 21986->21987 21991 52c4ab 21986->21991 21990 52c4e4 21987->21990 21987->21991 21989 52c4b6 21994 52c31e 21990->21994 21997 51a41c EnterCriticalSection LeaveCriticalSection 21991->21997 21998 51bd1e 21994->21998 21997->21989 21999 51bdf8 21998->21999 22000 51bd4c 21998->22000 22001 51bd91 22000->22001 22002 51bd56 22000->22002 22014 51bd82 22001->22014 22018 522c44 29 API calls 22001->22018 22015 522c44 29 API calls 22002->22015 22004 51bdea RtlFreeHeap 22004->21999 22006 51bd5d 22007 51bd77 22006->22007 22016 523ec8 VirtualFree VirtualFree HeapFree 22006->22016 22017 51bd88 LeaveCriticalSection 22007->22017 22010 51bd9d 22011 51bdc9 22010->22011 22019 524c4f VirtualFree HeapFree VirtualFree 22010->22019 22020 51bde0 LeaveCriticalSection 22011->22020 22014->21999 22014->22004 22015->22006 22016->22007 22017->22014 22018->22010 22019->22011 22020->22014 22788 100291f3 ??3@YAXPAX GetProcessHeap HeapFree 22789 100293f0 ??3@YAXPAX 22729 10026ef6 76 API calls 22730 10026cf7 43 API calls

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1001 100193c2-10019472 call 1002748d * 3 call 100294c0 1010 10019474-1001947a call 10027487 1001->1010 1011 1001947d-1001949e CopyFileA 1001->1011 1010->1011 1013 100194a0-100194b4 call 10027499 1011->1013 1014 100194b7-100194c3 1011->1014 1013->1014 1017 100194c5 1014->1017 1018 100194ca-100194e9 call 10028d40 1014->1018 1017->1018 1022 100194f4-10019504 1018->1022 1023 100194eb-100194f1 call 10027487 1018->1023 1025 10019506 1022->1025 1026 1001950b-10019525 call 10028000 1022->1026 1023->1022 1025->1026 1030 1001952b-10019539 1026->1030 1031 1001956e-10019586 call 1000241a 1026->1031 1033 10019540-1001955f call 10028d40 1030->1033 1034 1001953b 1030->1034 1037 10019588 1031->1037 1038 1001958d-100195b5 call 10028e50 call 10006495 1031->1038 1041 10019561-10019567 call 10027487 1033->1041 1042 1001956a-1001956b 1033->1042 1034->1033 1037->1038 1048 100195d6 1038->1048 1049 100195bb-100195c9 1038->1049 1041->1042 1042->1031 1051 100195db-100195dd 1048->1051 1049->1048 1050 100195cf-100195d4 1049->1050 1050->1051 1052 100195e3-1001960c RtlAllocateHeap 1051->1052 1053 10019832-10019840 1051->1053 1054 10019625-10019688 call 10007b67 call 1002748d call 10008edd call 10027487 1052->1054 1055 1001960e-10019622 call 10027499 1052->1055 1059 10019842-10019848 call 10027487 1053->1059 1060 1001984b-10019850 1053->1060 1087 10019689-10019691 1054->1087 1055->1054 1059->1060 1064 10019852-10019858 call 10027487 1060->1064 1065 1001985b-10019882 call 10027487 * 2 1060->1065 1064->1065 1077 10019895 1065->1077 1078 10019884 1065->1078 1081 1001989b-100198bb call 10027487 * 2 1077->1081 1082 100198bd-100198c9 call 10027487 1077->1082 1080 10019886-1001988a 1078->1080 1084 10019891-10019893 1080->1084 1085 1001988c-1001988f 1080->1085 1081->1082 1084->1077 1085->1080 1090 10019822-1001982d call 100094fb 1087->1090 1091 10019697-100196a5 call 10001000 1087->1091 1090->1053 1098 100196a7-100196bb call 10027499 1091->1098 1099 100196be-100196c2 1091->1099 1098->1099 1101 100196c4-100196d8 call 10027499 1099->1101 1102 100196db-10019736 call 10001b27 call 10001000 1099->1102 1101->1102 1110 10019738-1001974c call 10027499 1102->1110 1111 1001974f-10019753 1102->1111 1110->1111 1112 10019755-10019769 call 10027499 1111->1112 1113 1001976c-100197c7 call 10001b27 call 10001000 1111->1113 1112->1113 1122 100197e0-100197e4 1113->1122 1123 100197c9-100197dd call 10027499 1113->1123 1125 100197e6-100197fa call 10027499 1122->1125 1126 100197fd-1001981d call 10007b67 1122->1126 1123->1122 1125->1126 1126->1087
                                                          APIs
                                                            • Part of subcall function 100294C0: GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                            • Part of subcall function 100294C0: GetTickCount.KERNEL32 ref: 10029543
                                                            • Part of subcall function 100294C0: wsprintfA.USER32 ref: 10029558
                                                            • Part of subcall function 100294C0: PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                          • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 10019491
                                                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000000,00000001,?,?,?,00000000), ref: 100195FF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: FilePath$AllocateCopyCountExistsHeapTempTickwsprintf
                                                          • String ID: @
                                                          • API String ID: 183890193-2766056989
                                                          • Opcode ID: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                                                          • Instruction ID: 886d6a9a19e72094fdb0421fea6300c5803c3cbfa718e8e798f15b8255d4c358
                                                          • Opcode Fuzzy Hash: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                                                          • Instruction Fuzzy Hash: 26D142B5E40209ABEB01DFD4DCC2F9EB7B4FF18704F540065F604BA282E776A9548B66

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1147 1000710e-10007271 call 1002748d * 5 GetVersionExA 1158 10007273-10007287 call 10027499 1147->1158 1159 1000728a-100072e2 call 10027ca0 1147->1159 1158->1159 1164 100072f3-100072f9 1159->1164 1165 100072e4 1159->1165 1166 10007300-1000734b call 10027487 1164->1166 1167 100072fb 1164->1167 1168 100072e6-100072ea 1165->1168 1173 10007351-100073f3 call 1002748d GetSystemInfo 1166->1173 1174 100077ad-100077b2 1166->1174 1167->1166 1169 100072f1 1168->1169 1170 100072ec-100072ef 1168->1170 1169->1164 1170->1168 1180 100073f5-10007409 call 10027499 1173->1180 1181 1000740c-100074c4 call 10027487 RtlGetNtVersionNumbers 1173->1181 1175 100077b7-100077f1 call 10027487 * 4 1174->1175 1180->1181 1188 100074c6-100074da call 10027499 1181->1188 1189 100074dd-10007520 1181->1189 1188->1189 1192 10007552-10007556 1189->1192 1193 10007526-1000752a 1189->1193 1199 10007630-10007634 1192->1199 1200 1000755c-10007560 1192->1200 1196 10007530-10007534 1193->1196 1197 1000754d 1193->1197 1203 10007546 1196->1203 1204 1000753a-10007541 1196->1204 1206 100077a5-100077a8 1197->1206 1201 1000778a-1000778e 1199->1201 1202 1000763a-1000763e 1199->1202 1207 10007591-10007595 1200->1207 1208 10007566-10007574 1200->1208 1201->1206 1213 10007794-10007798 1201->1213 1211 10007650-10007654 1202->1211 1212 10007644-1000764b 1202->1212 1203->1197 1204->1197 1206->1175 1209 100075c6-100075ca 1207->1209 1210 1000759b-100075a9 1207->1210 1214 10007584 1208->1214 1215 1000757a-1000757f 1208->1215 1220 100075d0-100075de 1209->1220 1221 100075fb-100075ff 1209->1221 1216 100075b9 1210->1216 1217 100075af-100075b4 1210->1217 1218 10007785 1211->1218 1219 1000765a-1000766f 1211->1219 1212->1218 1213->1206 1222 1000779e 1213->1222 1223 10007589-1000758c 1214->1223 1215->1223 1224 100075be-100075c1 1216->1224 1217->1224 1218->1206 1233 10007671-10007685 call 10027499 1219->1233 1234 10007688-1000768f 1219->1234 1225 100075e4-100075e9 1220->1225 1226 100075ee 1220->1226 1227 10007605-10007613 1221->1227 1228 1000762b 1221->1228 1222->1206 1223->1228 1224->1228 1230 100075f3-100075f6 1225->1230 1226->1230 1231 10007623 1227->1231 1232 10007619-1000761e 1227->1232 1228->1206 1230->1228 1235 10007628 1231->1235 1232->1235 1233->1234 1237 100076a1-100076a5 1234->1237 1238 10007695-1000769c 1234->1238 1235->1228 1240 100076c7 1237->1240 1241 100076ab-100076ba 1237->1241 1238->1218 1243 100076cc-100076ce 1240->1243 1241->1240 1242 100076c0-100076c5 1241->1242 1242->1243 1244 100076e0-1000771d call 10028950 1243->1244 1245 100076d4-100076db 1243->1245 1248 10007723-1000772a 1244->1248 1249 1000772f-1000776c call 10028950 1244->1249 1245->1218 1248->1218 1252 10007772-10007779 1249->1252 1253 1000777e 1249->1253 1252->1218 1253->1218
                                                          APIs
                                                          • GetVersionExA.KERNEL32(00000000,10006DE0), ref: 10007264
                                                          • GetSystemInfo.KERNEL32(00000000,?), ref: 100073E6
                                                          • RtlGetNtVersionNumbers.NTDLL(?,?,00000000), ref: 100074B7
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Version$InfoNumbersSystem
                                                          • String ID:
                                                          • API String ID: 995872648-0
                                                          • Opcode ID: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                          • Instruction ID: 6910099e4755c4c9484fada616f008788a9246664730439cfdd765e490be93a4
                                                          • Opcode Fuzzy Hash: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                          • Instruction Fuzzy Hash: 001225B5E40246DBFB00CFA8DC81799B7F0FF19364F290065E909AB345E379A951CB62

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1390 10018ad3-10018b21 call 10018eea * 2 HeapCreate 1396 10018b23-10018b37 call 10027499 1390->1396 1397 10018b3a-10018b5e HeapCreate 1390->1397 1396->1397 1399 10018b60-10018b74 call 10027499 1397->1399 1400 10018b77-10018b8e call 10001000 1397->1400 1399->1400 1406 10018b90-10018ba4 call 10027499 1400->1406 1407 10018ba7-10018bc8 call 1000188f 1400->1407 1406->1407 1412 10018bd3-10018be4 call 1000b61e 1407->1412 1413 10018bca-10018bd0 call 10027487 1407->1413 1418 10018be6-10018bec call 10027487 1412->1418 1419 10018bef-10018c09 call 10001000 1412->1419 1413->1412 1418->1419 1424 10018c22-10018c43 call 1000188f 1419->1424 1425 10018c0b-10018c1f call 10027499 1419->1425 1430 10018c45-10018c4b call 10027487 1424->1430 1431 10018c4e-10018c5f call 1000b61e 1424->1431 1425->1424 1430->1431 1436 10018c61-10018c67 call 10027487 1431->1436 1437 10018c6a-10018c84 call 10001000 1431->1437 1436->1437 1442 10018c86-10018c9a call 10027499 1437->1442 1443 10018c9d-10018cbe call 1000188f 1437->1443 1442->1443 1448 10018cc0-10018cc6 call 10027487 1443->1448 1449 10018cc9-10018cda call 1000b61e 1443->1449 1448->1449 1454 10018ce5-10018cff call 10001000 1449->1454 1455 10018cdc-10018ce2 call 10027487 1449->1455 1460 10018d01-10018d15 call 10027499 1454->1460 1461 10018d18-10018d39 call 1000188f 1454->1461 1455->1454 1460->1461 1466 10018d44-10018d55 call 1000b61e 1461->1466 1467 10018d3b-10018d41 call 10027487 1461->1467 1472 10018d60-10018d7a call 10001000 1466->1472 1473 10018d57-10018d5d call 10027487 1466->1473 1467->1466 1478 10018d93-10018db4 call 1000188f 1472->1478 1479 10018d7c-10018d90 call 10027499 1472->1479 1473->1472 1484 10018db6-10018dbc call 10027487 1478->1484 1485 10018dbf-10018dd0 call 1000b61e 1478->1485 1479->1478 1484->1485 1490 10018dd2-10018dd8 call 10027487 1485->1490 1491 10018ddb-10018e4b call 10006453 call 1000710e call 10018f34 call 100191e3 call 10019edc call 1000ff10 call 100114f9 1485->1491 1490->1491 1508 10018e56-10018ea3 call 10019edc call 1000ff10 call 100114f9 1491->1508 1509 10018e4d-10018e53 call 10027487 1491->1509 1518 10018ea5-10018eab call 10027487 1508->1518 1519 10018eae-10018ec2 call 10019f4c 1508->1519 1509->1508 1518->1519 1523 10018ec7-10018ee9 call 1001a236 1519->1523
                                                          APIs
                                                            • Part of subcall function 10018EEA: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                          • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 10018B14
                                                          • HeapCreate.KERNEL32(00040000,00000000,00000000), ref: 10018B51
                                                            • Part of subcall function 1000FF10: RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Create$Heap$ComputeCrc32Mutex
                                                          • String ID:
                                                          • API String ID: 3311811139-0
                                                          • Opcode ID: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                          • Instruction ID: 66fc46a93c8d8d126791b072413d70454ec7258938680aadaad6e332e46fbde2
                                                          • Opcode Fuzzy Hash: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                          • Instruction Fuzzy Hash: B8B10CB5E00309ABEB10EFE4DCC2B9E77B8FB14340F504465E618EB246E775AB448B52
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                          • Instruction ID: f7734d6dfd281f4cec539f69a8a4743609fe5589cfe20e3980177d77de103c32
                                                          • Opcode Fuzzy Hash: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                          • Instruction Fuzzy Hash: 92112EB5D40308BBEB50DFE0DC86B9DBBB8EF05340F108069E6447A281D7B66B588B91
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(1002D511,00000000), ref: 1001A1FA
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 367298776-0
                                                          • Opcode ID: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                          • Instruction ID: 8b03ad6f155dc1ffa3c952e4c0ec4cfc85cd69f7d418c3f1b48ca094e25b3ce2
                                                          • Opcode Fuzzy Hash: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                          • Instruction Fuzzy Hash: EF012975D04319A7DB00EFD49C82F9E77B9EB05340F404066E50466151D775DB949B92
                                                          APIs
                                                          • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID:
                                                          • API String ID: 1964310414-0
                                                          • Opcode ID: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                          • Instruction ID: b5123a5caac3b4bfff5d25017b882f5dc189a7960400f6af0356bf2a3b5a090f
                                                          • Opcode Fuzzy Hash: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                          • Instruction Fuzzy Hash: 49E01270E95308F7E120AA505D03B29B635D70AB11F609055BE083E1C1D5B19A156696

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 870 4ac9a0-4ac9c5 871 4ac9cb-4ac9d6 870->871 872 4aca63-4aca72 870->872 873 4ac9d8-4ac9e2 871->873 874 4ac9e5-4ac9e8 871->874 875 4aca78-4aca88 872->875 876 4acd1f-4acd30 872->876 873->874 877 4ac9ea-4ac9fb call 51b198 874->877 878 4ac9fd 874->878 879 4aca8a-4aca94 call 51b198 875->879 880 4aca99-4acab6 call 49a080 875->880 881 4ac9ff-4aca11 GetProcAddress 877->881 878->881 879->880 891 4acbcf 880->891 892 4acabc-4acacf call 51c1b0 880->892 887 4aca13-4aca41 call 4b6120 call 4acd70 call 52c5b4 881->887 888 4aca46-4aca60 call 4ac980 881->888 887->888 894 4acbd4-4acbe2 LoadLibraryA 891->894 905 4acb9a-4acba1 LoadLibraryA 892->905 906 4acad5-4acae6 892->906 898 4acc1f-4acc28 894->898 899 4acbe4-4acbf2 GetProcAddress 894->899 898->894 907 4acc2a-4acc35 898->907 902 4acc0a-4acc14 899->902 903 4acbf4-4acbff 899->903 902->907 909 4acc16-4acc1d FreeLibrary 902->909 903->902 908 4acc01-4acc07 903->908 905->907 915 4acba7-4acbb5 GetProcAddress 905->915 911 4acae8-4acb06 call 52c7fd LoadLibraryA call 52c5b4 906->911 912 4acb10-4acb5d call 52c7fd * 2 LoadLibraryA call 52c5b4 * 2 906->912 913 4acc3b-4acc3d 907->913 914 4accfc-4accfe 907->914 908->902 909->898 911->915 938 4acb0c 911->938 912->915 949 4acb5f-4acb70 912->949 918 4acc3f-4acc40 FreeLibrary 913->918 919 4acc46-4acc55 call 49a080 913->919 921 4acd00-4acd0b 914->921 922 4acd16-4acd1c 914->922 915->907 916 4acbb7-4acbc2 915->916 916->907 925 4acbc4-4acbcd 916->925 918->919 931 4accaa-4accf9 call 4b6120 call 4acd70 call 52c5b4 919->931 932 4acc57-4acca7 call 4b6120 call 4acd70 call 52c5b4 919->932 921->922 924 4acd0d-4acd13 921->924 922->876 924->922 925->907 938->912 952 4acb92-4acb94 949->952 953 4acb72-4acb8d call 52c7fd LoadLibraryA call 52c5b4 949->953 952->915 956 4acb96 952->956 953->952 956->905
                                                          APIs
                                                          • GetProcAddress.KERNEL32(00000000,007A69F4), ref: 004ACA07
                                                          • LoadLibraryA.KERNEL32(?,?,007B70F8), ref: 004ACAF7
                                                          • LoadLibraryA.KERNEL32(?,?), ref: 004ACB3D
                                                          • LoadLibraryA.KERNEL32(?,?,007B7000,?), ref: 004ACB85
                                                          • LoadLibraryA.KERNEL32(?), ref: 004ACB9B
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004ACBAD
                                                          • FreeLibrary.KERNEL32(00000000), ref: 004ACC40
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressProc$Free
                                                          • String ID: |jy
                                                          • API String ID: 3120990465-341901971
                                                          • Opcode ID: 6f95c1f9482eac082939388fda0387d2ad5137546a531cf021fda0b8d432bbad
                                                          • Instruction ID: 1d2c88cccca8aee7a8f7e17d5630b8e1bd214987ddca0258d103f64d46bb2e07
                                                          • Opcode Fuzzy Hash: 6f95c1f9482eac082939388fda0387d2ad5137546a531cf021fda0b8d432bbad
                                                          • Instruction Fuzzy Hash: 56A1D4B1600702ABD710DF64D8C1BABB7A8FFA6714F044A2EF85597341D738E905CBA6

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 959 5360e9-536106 EnterCriticalSection 960 536115-53611a 959->960 961 536108-53610f 959->961 963 536137-536140 960->963 964 53611c-53611f 960->964 961->960 962 5361ce-5361d1 961->962 967 5361d3-5361d6 962->967 968 5361d9-5361fa LeaveCriticalSection 962->968 965 536142-536153 GlobalAlloc 963->965 966 536155-536171 GlobalHandle GlobalUnlock GlobalReAlloc 963->966 969 536122-536125 964->969 970 536177-536183 965->970 966->970 967->968 971 536127-53612d 969->971 972 53612f-536131 969->972 973 5361a0-5361cd GlobalLock call 51de30 970->973 974 536185-53619b GlobalHandle GlobalLock LeaveCriticalSection call 52a604 970->974 971->969 971->972 972->962 972->963 973->962 974->973
                                                          APIs
                                                          • EnterCriticalSection.KERNEL32(007E5BD8,007E5BAC,00000000,?,007E5BBC,007E5BBC,00536484,?,00000000,00535ED7,005357C6,00535EF3,005312F7,0053259F,?,00000000), ref: 005360F8
                                                          • GlobalAlloc.KERNEL32(00002002,00000000,?,?,007E5BBC,007E5BBC,00536484,?,00000000,00535ED7,005357C6,00535EF3,005312F7,0053259F,?,00000000), ref: 0053614D
                                                          • GlobalHandle.KERNEL32(00A04258), ref: 00536156
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0053615F
                                                          • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00536171
                                                          • GlobalHandle.KERNEL32(00A04258), ref: 00536188
                                                          • GlobalLock.KERNEL32(00000000), ref: 0053618F
                                                          • LeaveCriticalSection.KERNEL32(0051A5E9,?,?,007E5BBC,007E5BBC,00536484,?,00000000,00535ED7,005357C6,00535EF3,005312F7,0053259F,?,00000000), ref: 00536195
                                                          • GlobalLock.KERNEL32(00000000), ref: 005361A4
                                                          • LeaveCriticalSection.KERNEL32(?), ref: 005361ED
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                          • String ID:
                                                          • API String ID: 2667261700-0
                                                          • Opcode ID: 63fad3f132bf26efb72d39567dfa04d14275eabd59b3a2e8270ee58155730058
                                                          • Instruction ID: 347bbc5d1d00f307b344a4d397c14b55e086e051f2efb2fc59e45e0dc7cbca3b
                                                          • Opcode Fuzzy Hash: 63fad3f132bf26efb72d39567dfa04d14275eabd59b3a2e8270ee58155730058
                                                          • Instruction Fuzzy Hash: 6E315275600705AFD7249F28EC89A6ABBF9FB44301F004A2DF852C3761E771E848CB21

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 978 100294c0-100294cf 979 100294d1-100294e3 GetTempPathA 978->979 980 100294eb-10029511 978->980 981 10029513-1002952c 979->981 982 100294e5-100294e9 979->982 980->981 983 10029531-1002953d 981->983 984 1002952e 981->984 982->981 985 10029543-10029569 GetTickCount wsprintfA PathFileExistsA 983->985 984->983 985->985 986 1002956b-100295b3 call 10027bb0 985->986
                                                          APIs
                                                          • GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                          • GetTickCount.KERNEL32 ref: 10029543
                                                          • wsprintfA.USER32 ref: 10029558
                                                          • PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Path$CountExistsFileTempTickwsprintf
                                                          • String ID: %s%x.tmp
                                                          • API String ID: 3843276195-78920241
                                                          • Opcode ID: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                          • Instruction ID: 19c0f5fbbc49b21063d5a4c1e69b6cb6cd736cc94922c53957f775166a9e82b6
                                                          • Opcode Fuzzy Hash: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                          • Instruction Fuzzy Hash: 9521F6352046144FE329D638AC526EB77D5FBC4360F948A2DF9AA831C0DF74DD058791

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 989 10027bb0-10027bb7 990 10027bc4-10027bd7 RtlAllocateHeap 989->990 991 10027bb9-10027bbf GetProcessHeap 989->991 992 10027bf5-10027bf8 990->992 993 10027bd9-10027bf2 MessageBoxA call 10027b10 990->993 991->990 993->992
                                                          APIs
                                                          • GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                          • RtlAllocateHeap.NTDLL(00A00000,00000008,?,?,10028674), ref: 10027BCD
                                                          • MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocateMessageProcess
                                                          • String ID: error
                                                          • API String ID: 2992861138-1574812785
                                                          • Opcode ID: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                          • Instruction ID: 89e5899bf0a8eaacd33e9d23978464e8beef4f738102cb453b69e42e0a268b90
                                                          • Opcode Fuzzy Hash: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                          • Instruction Fuzzy Hash: 4DE0DF71A01A31ABE322EB64BC88F4B7698EF05B41F910526F608E2240EF20AC019791

                                                          Control-flow Graph

                                                          APIs
                                                          • CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000,00000000,100149DF,00000001,00000000,00000000,80000004,00000000,00000000,00000000), ref: 10028D55
                                                          • GetFileSize.KERNEL32(00000000,?,1002C201,00000268,?,00000000,00000000,00000000,00000000), ref: 10028D6C
                                                            • Part of subcall function 10027BB0: GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                            • Part of subcall function 10027BB0: RtlAllocateHeap.NTDLL(00A00000,00000008,?,?,10028674), ref: 10027BCD
                                                            • Part of subcall function 10027BB0: MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                          • ReadFile.KERNEL32(00000000,00000008,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D98
                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D9F
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: File$Heap$AllocateCloseCreateHandleMessageProcessReadSize
                                                          • String ID:
                                                          • API String ID: 749537981-0
                                                          • Opcode ID: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                          • Instruction ID: 3e7a6e3e6917c5c906f0044d82f650070526e8034b550c75b50b94cd4b2286ca
                                                          • Opcode Fuzzy Hash: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                          • Instruction Fuzzy Hash: 31F044762003107BE3218B64DCC9F9B77ACEB84B51F204A1DF616961D0E670A5458761

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1132 531307-531310 call 535ec8 1135 531312-53133d call 535c96 GetCurrentThreadId SetWindowsHookExA call 5364e5 1132->1135 1136 531365 1132->1136 1140 531342-531348 1135->1140 1141 531355-531364 call 536450 1140->1141 1142 53134a-53134f call 535ec8 1140->1142 1141->1136 1142->1141
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 0053131A
                                                          • SetWindowsHookExA.USER32(000000FF,VcH,00000000,00000000), ref: 0053132A
                                                            • Part of subcall function 005364E5: __EH_prolog.LIBCMT ref: 005364EA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: CurrentH_prologHookThreadWindows
                                                          • String ID: VcH
                                                          • API String ID: 2183259885-2144458766
                                                          • Opcode ID: 8aae62ee84ae179377d0abafc976a012674a01b410eb710897fc1d67874647eb
                                                          • Instruction ID: bce208444a6aa87078a57790f8daeb9b1bda2a6ae2f36557e3323b534caf623b
                                                          • Opcode Fuzzy Hash: 8aae62ee84ae179377d0abafc976a012674a01b410eb710897fc1d67874647eb
                                                          • Instruction Fuzzy Hash: CAF0E532900F016BCB203BB0AD1EB097FA47F40710F051B68F212575E2DF64C8808765

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1528 536d19-536d44 SetErrorMode * 2 call 535ec8 * 2 1533 536d46-536d60 call 536d7c 1528->1533 1534 536d65-536d6f call 535ec8 1528->1534 1533->1534 1538 536d71 call 531307 1534->1538 1539 536d76-536d79 1534->1539 1538->1539
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000000,00000000,005325BE,00000000,00000000,00000000,00000000,?,00000000,?,00529E83,00000000,00000000,00000000,00000000,0051A5E9), ref: 00536D22
                                                          • SetErrorMode.KERNEL32(00000000,?,00000000,?,00529E83,00000000,00000000,00000000,00000000,0051A5E9,00000000), ref: 00536D29
                                                            • Part of subcall function 00536D7C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00536DAD
                                                            • Part of subcall function 00536D7C: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00536E4E
                                                            • Part of subcall function 00536D7C: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00536E7B
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
                                                          • String ID:
                                                          • API String ID: 3389432936-0
                                                          • Opcode ID: c73409721a44e57969a6835f5f802bed7234ba3fc26b2bb4236e66c714ea1e57
                                                          • Instruction ID: 4d1aef74c7533c18408f735019182540ae7a307c86e4fd40ae025b508c4cea63
                                                          • Opcode Fuzzy Hash: c73409721a44e57969a6835f5f802bed7234ba3fc26b2bb4236e66c714ea1e57
                                                          • Instruction Fuzzy Hash: 35F04971A087119FC714EF24E548A097FE8BF89710F05888EF4849B3A2CB70D840CBA6

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1541 520588-5205a6 HeapCreate 1542 5205a8-5205b5 call 520440 1541->1542 1543 5205de-5205e0 1541->1543 1546 5205b7-5205c2 call 523e55 1542->1546 1547 5205c4-5205c7 1542->1547 1553 5205ce-5205d0 1546->1553 1549 5205e1-5205e4 1547->1549 1550 5205c9 call 52499c 1547->1550 1550->1553 1553->1549 1554 5205d2-5205d8 HeapDestroy 1553->1554 1554->1543
                                                          APIs
                                                          • HeapCreate.KERNEL32(00000000,00001000,00000000,0051A567,00000001), ref: 00520599
                                                            • Part of subcall function 00520440: GetVersionExA.KERNEL32 ref: 0052045F
                                                          • HeapDestroy.KERNEL32 ref: 005205D8
                                                            • Part of subcall function 00523E55: HeapAlloc.KERNEL32(00000000,00000140,005205C1,000003F8), ref: 00523E62
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocCreateDestroyVersion
                                                          • String ID:
                                                          • API String ID: 2507506473-0
                                                          • Opcode ID: e3a4ee521f2d95d3bf5267faf50a30caf94bd07778a2120cc1afa8551983c647
                                                          • Instruction ID: e8980e38a093253928149522eb75aeb7064ecea7acb4cebf6a0d4e130692f847
                                                          • Opcode Fuzzy Hash: e3a4ee521f2d95d3bf5267faf50a30caf94bd07778a2120cc1afa8551983c647
                                                          • Instruction Fuzzy Hash: 06F06573703311ABDF2067307C8576A2DA4BF85751F105825F600CC1E6EAF489C09912

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1555 10027c40-10027c4b 1556 10027c86-10027c87 1555->1556 1557 10027c4d-10027c54 1555->1557 1558 10027c56 call 10027ae0 1557->1558 1559 10027c5b-10027c61 1557->1559 1558->1559 1561 10027c63-10027c69 1559->1561 1562 10027c6b-10027c76 IsBadReadPtr 1559->1562 1561->1556 1561->1562 1562->1556 1563 10027c78-10027c80 RtlFreeHeap 1562->1563 1563->1556
                                                          APIs
                                                          • IsBadReadPtr.KERNEL32(00000000,00000008), ref: 10027C6E
                                                          • RtlFreeHeap.NTDLL(00A00000,00000000,00000000), ref: 10027C80
                                                            • Part of subcall function 10027AE0: GetModuleHandleA.KERNEL32(10000000,10027CB6,?,?,00000000,10013438,00000004,1002D4C1,00000000,00000000,?,00000014,00000000,00000000), ref: 10027AEA
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: FreeHandleHeapModuleRead
                                                          • String ID:
                                                          • API String ID: 627478288-0
                                                          • Opcode ID: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                          • Instruction ID: 59851536013e0aac3578df5bad16e171669d5e3b00cd7f1de4e20f90094f5fd3
                                                          • Opcode Fuzzy Hash: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                          • Instruction Fuzzy Hash: 46E0ED71A0153297EB21FB34ADC4A4B769CFB417C0BB1402AF548B3151D330AC818BA2
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0051BF2C
                                                            • Part of subcall function 00522C44: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0051CD5C,00000009,00000000,00000000,00000001,005203D1,00000001,00000074,?,?,00000000,00000001), ref: 00522C81
                                                            • Part of subcall function 00522C44: EnterCriticalSection.KERNEL32(?,?,?,0051CD5C,00000009,00000000,00000000,00000001,005203D1,00000001,00000074,?,?,00000000,00000001), ref: 00522C9C
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$AllocateEnterHeapInitialize
                                                          • String ID:
                                                          • API String ID: 1616793339-0
                                                          • Opcode ID: e2c2b54aa759b9868e38ff2f34d0d0acbff52b91b592fe6287b86da8da159c96
                                                          • Instruction ID: 2469fe6da8ad6d897e4c2a2ed4c483602ad85d76cdec38186e667ed35994c6d2
                                                          • Opcode Fuzzy Hash: e2c2b54aa759b9868e38ff2f34d0d0acbff52b91b592fe6287b86da8da159c96
                                                          • Instruction Fuzzy Hash: 46219572A44215ABFB10EB64DC46BDEBBB8FB01720F144615F520EB2D1D7B49982CE64
                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,0051CD5C,00000009,00000000,00000000,00000001,005203D1,00000001,00000074), ref: 0051BDF2
                                                            • Part of subcall function 00522C44: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0051CD5C,00000009,00000000,00000000,00000001,005203D1,00000001,00000074,?,?,00000000,00000001), ref: 00522C81
                                                            • Part of subcall function 00522C44: EnterCriticalSection.KERNEL32(?,?,?,0051CD5C,00000009,00000000,00000000,00000001,005203D1,00000001,00000074,?,?,00000000,00000001), ref: 00522C9C
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapInitialize
                                                          • String ID:
                                                          • API String ID: 641406236-0
                                                          • Opcode ID: fc764ebcf2e976a8501e049811f8c882f7744aa84a1fdf0998e8888dbf5bd4c8
                                                          • Instruction ID: 7dc30e0a1e43f4cba01143122fe91c85574d7739e0736b99b7f473da2b2162a1
                                                          • Opcode Fuzzy Hash: fc764ebcf2e976a8501e049811f8c882f7744aa84a1fdf0998e8888dbf5bd4c8
                                                          • Instruction Fuzzy Hash: F421D47280121ABBFF18ABA4EC0ABDE7F78FF05320F240519F411B61D0D7798980CAA5
                                                          APIs
                                                          • LdrInitializeThunk.NTDLL(-0000007F), ref: 10004BAD
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                          • Instruction ID: 7f13cb2829284cec5adb7bd0b88e9c5a5f53f04c1fb2448feb0c9f08ba257be5
                                                          • Opcode Fuzzy Hash: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                          • Instruction Fuzzy Hash: 0111C4B1600645DBFB20DF18C894B5973A5EB413D9F128336E806CB2E8CB78DD85C789
                                                          APIs
                                                          • LoadStringA.USER32(?,?,?,?), ref: 00531E91
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: LoadString
                                                          • String ID:
                                                          • API String ID: 2948472770-0
                                                          • Opcode ID: c89291d6955452d5a05a4e72691d0c11e09c4a35ae7827027905426d0ce0a730
                                                          • Instruction ID: 7ce1aeec4d0f03ad16cab6d4a7c5de9fc50f9ced079080901bfb6d75aafec9bb
                                                          • Opcode Fuzzy Hash: c89291d6955452d5a05a4e72691d0c11e09c4a35ae7827027905426d0ce0a730
                                                          • Instruction Fuzzy Hash: 18D05E720083629BCB019F619808C4BBFA8BF65211B054C49F88042211C320D4189661
                                                          APIs
                                                          • DeleteFileA.KERNEL32(00000000,10015A7E,00000001,10014425,00000000,80000004), ref: 10028E55
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: DeleteFile
                                                          • String ID:
                                                          • API String ID: 4033686569-0
                                                          • Opcode ID: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                          • Instruction ID: ffbd99c73049c44a809e906c9e813abd6042298cab9f2baa300a0a2bd65e465f
                                                          • Opcode Fuzzy Hash: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                          • Instruction Fuzzy Hash: 5EA00275904611EBDE11DBA4C9DC84B7BACAB84341B108844F155C2130C634D451CB21
                                                          APIs
                                                          • UnmapViewOfFile.KERNEL32(00000000,00000000,00000000,?,00000018,00000000,00000000,00000000,00000000,00000000,00000018,00000000,00000000,00000000,00000000,00000000), ref: 100226B0
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: FileUnmapView
                                                          • String ID:
                                                          • API String ID: 2564024751-0
                                                          • Opcode ID: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                          • Instruction ID: aca3888e1ced534dfb8bff30dc6f5772290e13aa398f14ea119e8b9ebb5f1563
                                                          • Opcode Fuzzy Hash: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                          • Instruction Fuzzy Hash: CED1AF75D40209FBEF219FE0EC46BDDBAB1EB09714F608115F6203A2E0C7B62A549F59
                                                          APIs
                                                          • GetDC.USER32(00000000), ref: 1001A976
                                                          • SelectObject.GDI32(00000000,00000000), ref: 1001A9E8
                                                          • SelectObject.GDI32(00000000,00000000), ref: 1001ABA2
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 1001ABFD
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ObjectSelect$Release
                                                          • String ID:
                                                          • API String ID: 3581861777-0
                                                          • Opcode ID: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                          • Instruction ID: 0a28f281d22c81f76b667070ee8f4b39c3514b9b46e69f88ae8cd14bf3a1b365
                                                          • Opcode Fuzzy Hash: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                          • Instruction Fuzzy Hash: 2B9116B0D40309EBDF01EF81DC86BAEBBB1EB0A715F005015F6187A290D3B69691CF96
                                                          APIs
                                                          • GetWindow.USER32(?,00000005), ref: 1001A773
                                                          • IsWindowVisible.USER32(00000000), ref: 1001A7AC
                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 1001A7E9
                                                          • GetWindow.USER32(00000000,00000002), ref: 1001A872
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Window$ProcessThreadVisible
                                                          • String ID:
                                                          • API String ID: 569392824-0
                                                          • Opcode ID: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                          • Instruction ID: 356be4359fdaef5b37944779847d5b641f80ef076249e3ad3302764c89b6051f
                                                          • Opcode Fuzzy Hash: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                          • Instruction Fuzzy Hash: 284105B4D40219EBEB40EF90DC87BAEFBB0FB06711F105065E5097E190E7B19A90CB96
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?), ref: 10029652
                                                          • LoadLibraryA.KERNEL32(?), ref: 1002965F
                                                          • wsprintfA.USER32 ref: 10029676
                                                          • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002968C
                                                            • Part of subcall function 10027B10: ExitProcess.KERNEL32 ref: 10027B25
                                                          • atoi.MSVCRT(?), ref: 100296CB
                                                          • strchr.MSVCRT ref: 10029703
                                                          • GetProcAddress.KERNEL32(00000000,00000040), ref: 10029721
                                                          • wsprintfA.USER32 ref: 10029739
                                                          • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002974F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
                                                          • String ID: DLL ERROR
                                                          • API String ID: 3187504500-4092134112
                                                          • Opcode ID: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                          • Instruction ID: 2d8d4974cead62a1b0d3c1b872151993aa02a2f76add0cb6c4d459240c98e11b
                                                          • Opcode Fuzzy Hash: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                          • Instruction Fuzzy Hash: 7E3139B26003529BE310EF74AC94F9BB7D8EB85340F904929FB09D3241EB75E919C7A5
                                                          APIs
                                                          • ??2@YAPAXI@Z.MSVCRT(?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000001), ref: 10028E9E
                                                          • strrchr.MSVCRT ref: 10028EC7
                                                          • RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 10028EE0
                                                          • ??2@YAPAXI@Z.MSVCRT ref: 10028F03
                                                          • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,80000004,00000000,00000000,00000000), ref: 10028F26
                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F34
                                                          • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F3E
                                                          • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000), ref: 10028F5B
                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F8A
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000), ref: 10028F97
                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F9E
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
                                                          • String ID:
                                                          • API String ID: 1380196384-0
                                                          • Opcode ID: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                          • Instruction ID: 11253f6a850e8c32f07a3e9f8fa5c0c7ac66a22cffc6c79301f50e11ea2e9c0e
                                                          • Opcode Fuzzy Hash: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                          • Instruction Fuzzy Hash: 304126792003055BE344DA78EC45E2B77D9EFC2660F950A2DF915C3281EE75EE0983A2
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00520742,?,Microsoft Visual C++ Runtime Library,00012010,?,00787BEC,?,00787C3C,?,?,?,Runtime Error!Program: ), ref: 00527DD7
                                                          • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00527DEF
                                                          • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00527E00
                                                          • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00527E0D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$LibraryLoad
                                                          • String ID: <|x$GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                          • API String ID: 2238633743-3186960118
                                                          • Opcode ID: dd8fb78dc87cd0f9fdd0ea746719a4fea3ce36d6e49eb0b7f366b38e025da6ad
                                                          • Instruction ID: 5b8c3c4767c838c19427bf38254a1958ca389ac62e28f924e99d966b856f1dab
                                                          • Opcode Fuzzy Hash: dd8fb78dc87cd0f9fdd0ea746719a4fea3ce36d6e49eb0b7f366b38e025da6ad
                                                          • Instruction Fuzzy Hash: 4A015E71645255AECB11DFB5ACC09272EEDFFAD7A13014869B201C6161DAB8CC019BB1
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0052068B
                                                          • GetStdHandle.KERNEL32(000000F4,00787BEC,00000000,00000000,00000000,?), ref: 00520761
                                                          • WriteFile.KERNEL32(00000000), ref: 00520768
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: File$HandleModuleNameWrite
                                                          • String ID: ({z$...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                          • API String ID: 3784150691-2947446239
                                                          • Opcode ID: 2463d6ade435dffa992afbc774ae595a1231eb9f802a1e208bfc7da066585be9
                                                          • Instruction ID: 1328a34eb2dcfac31f39d53f2681c35b6756f59d20ec8648e161c07c70f8d84a
                                                          • Opcode Fuzzy Hash: 2463d6ade435dffa992afbc774ae595a1231eb9f802a1e208bfc7da066585be9
                                                          • Instruction Fuzzy Hash: 5431E5B26052296EDF24E760AD4AE9E7B7CFF86300F10045AF449D60C5D674EA81CB71
                                                          APIs
                                                          • LCMapStringW.KERNEL32(00000000,00000100,00787E7C,00000001,00000000,00000000,74DEE860,007E9E84,?,?,?,0051C2BD,?,?,?,00000000), ref: 00523B86
                                                          • LCMapStringA.KERNEL32(00000000,00000100,00787E78,00000001,00000000,00000000,?,?,0051C2BD,?,?,?,00000000,00000001), ref: 00523BA2
                                                          • LCMapStringA.KERNEL32(?,?,?,0051C2BD,?,?,74DEE860,007E9E84,?,?,?,0051C2BD,?,?,?,00000000), ref: 00523BEB
                                                          • MultiByteToWideChar.KERNEL32(?,007E9E85,?,0051C2BD,00000000,00000000,74DEE860,007E9E84,?,?,?,0051C2BD,?,?,?,00000000), ref: 00523C23
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,?,0051C2BD,?,00000000,?,?,0051C2BD,?), ref: 00523C7B
                                                          • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0051C2BD,?), ref: 00523C91
                                                          • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0051C2BD,?), ref: 00523CC4
                                                          • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0051C2BD,?), ref: 00523D2C
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: String$ByteCharMultiWide
                                                          • String ID:
                                                          • API String ID: 352835431-0
                                                          • Opcode ID: 4ee7bf478979ccc9c32f2226d83bc93b9725fdfded56bc037ce536a2d805bac1
                                                          • Instruction ID: 3cb1facf91b1c214112377db9717e7e081f14cfb432493f4fdd114dbd991970e
                                                          • Opcode Fuzzy Hash: 4ee7bf478979ccc9c32f2226d83bc93b9725fdfded56bc037ce536a2d805bac1
                                                          • Instruction Fuzzy Hash: A5514C7190025DABCF228F94EC45AEE7FB5FF4AB50F204515F911B61A0D3398E60EB61
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %I64d$%lf
                                                          • API String ID: 0-1545097854
                                                          • Opcode ID: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                          • Instruction ID: a68653634a99df22c50c27c61c92b13d05d716d03379e836d9a088690611f418
                                                          • Opcode Fuzzy Hash: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                          • Instruction Fuzzy Hash: 0F516C7A5052424BD738D524BC85AEF73C4EBC0310FE08A2EFA59D21D1DE79DE458392
                                                          APIs
                                                          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0051A59F), ref: 00520072
                                                          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0051A59F), ref: 00520086
                                                          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0051A59F), ref: 005200B2
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0051A59F), ref: 005200EA
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0051A59F), ref: 0052010C
                                                          • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0051A59F), ref: 00520125
                                                          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0051A59F), ref: 00520138
                                                          • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00520176
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                          • String ID:
                                                          • API String ID: 1823725401-0
                                                          • Opcode ID: 0b58a65ea1eb9272d914f4aebea81e41d22bde07080277d0fb3a807c7867e809
                                                          • Instruction ID: 8c55c6a1e9c74896bcbcf005174bbbd014e5a0cdb9648edc1f3ecf55686f2b5a
                                                          • Opcode Fuzzy Hash: 0b58a65ea1eb9272d914f4aebea81e41d22bde07080277d0fb3a807c7867e809
                                                          • Instruction Fuzzy Hash: 3431C4725072756FE7217B74BC8883B7EACFE5A354B151A29F541C32C2E6218C90D2A1
                                                          APIs
                                                          • GetStringTypeW.KERNEL32(00000001,00787E7C,00000001,?,74DEE860,007E9E84,?,?,0051C2BD,?,?,?,00000000,00000001), ref: 00527357
                                                          • GetStringTypeA.KERNEL32(00000000,00000001,00787E78,00000001,?,?,0051C2BD,?,?,?,00000000,00000001), ref: 00527371
                                                          • GetStringTypeA.KERNEL32(?,?,?,?,0051C2BD,74DEE860,007E9E84,?,?,0051C2BD,?,?,?,00000000,00000001), ref: 005273A5
                                                          • MultiByteToWideChar.KERNEL32(?,007E9E85,?,?,00000000,00000000,74DEE860,007E9E84,?,?,0051C2BD,?,?,?,00000000,00000001), ref: 005273DD
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0051C2BD,?), ref: 00527433
                                                          • GetStringTypeW.KERNEL32(?,?,00000000,0051C2BD,?,?,?,?,?,?,0051C2BD,?), ref: 00527445
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: StringType$ByteCharMultiWide
                                                          • String ID:
                                                          • API String ID: 3852931651-0
                                                          • Opcode ID: fc6b4c80ab6d9abc5d6fdd481c69e9967c776c24ea331c70b51248247a52846c
                                                          • Instruction ID: e8e7cecb782fc17ebba40841d296784bfc2ff94690f2cbd78bbea2cf00d9f8aa
                                                          • Opcode Fuzzy Hash: fc6b4c80ab6d9abc5d6fdd481c69e9967c776c24ea331c70b51248247a52846c
                                                          • Instruction Fuzzy Hash: F0415A72604269AFCF11DF94EC85DEE3F79FF2A750F104925FA1196290D3348950ABA1
                                                          APIs
                                                          • TlsGetValue.KERNEL32(007E5BBC,007E5BAC,00000000,?,007E5BBC,?,005364C0,007E5BAC,00000000,?,00000000,00535ED7,005357C6,00535EF3,005312F7,0053259F), ref: 00536263
                                                          • EnterCriticalSection.KERNEL32(007E5BD8,00000010,?,007E5BBC,?,005364C0,007E5BAC,00000000,?,00000000,00535ED7,005357C6,00535EF3,005312F7,0053259F), ref: 005362B2
                                                          • LeaveCriticalSection.KERNEL32(007E5BD8,00000000,?,007E5BBC,?,005364C0,007E5BAC,00000000,?,00000000,00535ED7,005357C6,00535EF3,005312F7,0053259F), ref: 005362C5
                                                          • LocalAlloc.KERNEL32(00000000,00000004,?,007E5BBC,?,005364C0,007E5BAC,00000000,?,00000000,00535ED7,005357C6,00535EF3,005312F7,0053259F), ref: 005362DB
                                                          • LocalReAlloc.KERNEL32(?,00000004,00000002,?,007E5BBC,?,005364C0,007E5BAC,00000000,?,00000000,00535ED7,005357C6,00535EF3,005312F7,0053259F), ref: 005362ED
                                                          • TlsSetValue.KERNEL32(007E5BBC,00000000), ref: 00536329
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: AllocCriticalLocalSectionValue$EnterLeave
                                                          • String ID:
                                                          • API String ID: 4117633390-0
                                                          • Opcode ID: 4f5274784e88527fc3ad9bf3591c9a140dde17ef777d05684e1eee6e0ac5f88e
                                                          • Instruction ID: cff2b537bd400128be37a0a8e3b9ee00de74aa07e85daff9269e032699187626
                                                          • Opcode Fuzzy Hash: 4f5274784e88527fc3ad9bf3591c9a140dde17ef777d05684e1eee6e0ac5f88e
                                                          • Instruction Fuzzy Hash: 68315A75100606AFD724DF54D899E66BBF8FB85350F00C52DF41687650EB70E819CB61
                                                          APIs
                                                          • GetVersionExA.KERNEL32 ref: 0052045F
                                                          • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00520494
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 005204F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: EnvironmentFileModuleNameVariableVersion
                                                          • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                          • API String ID: 1385375860-4131005785
                                                          • Opcode ID: ba831ef9b5252bffba1e158d20c034c3838df217f69b823f21ca0fbb9c221d34
                                                          • Instruction ID: 4fb4ebec03278de782ffce972b394520f8dc4cd3d2a21a75db86f52bbd9114ea
                                                          • Opcode Fuzzy Hash: ba831ef9b5252bffba1e158d20c034c3838df217f69b823f21ca0fbb9c221d34
                                                          • Instruction Fuzzy Hash: 17311372A4326869EF31A6747C95AE97F68BF03304F1464D5E545C61C3E6218EC9CF11
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00536DAD
                                                            • Part of subcall function 00536E99: lstrlenA.KERNEL32(00000104,00000000,?,00536DDD), ref: 00536ED0
                                                          • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00536E4E
                                                          • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00536E7B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: FileModuleNamelstrcatlstrcpylstrlen
                                                          • String ID: .HLP$.INI
                                                          • API String ID: 2421895198-3011182340
                                                          • Opcode ID: 13e52bb3b9e210f075c9512619b16586b1d1e3c8b62c61aaf3b240d35f6cffa0
                                                          • Instruction ID: 877962b00d621f17fd0d9100fbaa84d6417a4b1ee5678dadb8208837ecbc9bf5
                                                          • Opcode Fuzzy Hash: 13e52bb3b9e210f075c9512619b16586b1d1e3c8b62c61aaf3b240d35f6cffa0
                                                          • Instruction Fuzzy Hash: 7C3161B6504719AFDB20EB70D889BC7BBFCBF08300F10496AE199D2151DB74AAC4DB60
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 492c8171bd9e49e3059a41a9689575ad30baeaea1f77ac32c052578dd1c86428
                                                          • Instruction ID: cdb9612aaf1e8ee0da3543c4e82bdf6317063e2398d8dfaa0dd144234c042c31
                                                          • Opcode Fuzzy Hash: 492c8171bd9e49e3059a41a9689575ad30baeaea1f77ac32c052578dd1c86428
                                                          • Instruction Fuzzy Hash: 17C1B3B19042129FC710DF24D88196BB7E8FF96318F04492EF95797351EB38E906CBA6
                                                          APIs
                                                          • GetStartupInfoA.KERNEL32(?), ref: 005201E7
                                                          • GetFileType.KERNEL32(?,?,00000000), ref: 00520292
                                                          • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 005202F5
                                                          • GetFileType.KERNEL32(00000000,?,00000000), ref: 00520303
                                                          • SetHandleCount.KERNEL32 ref: 0052033A
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: FileHandleType$CountInfoStartup
                                                          • String ID:
                                                          • API String ID: 1710529072-0
                                                          • Opcode ID: 61ef1fefad16dc3c81f17f3435dfce1a575a34b9670d474c0f2521b0bdd6bf7a
                                                          • Instruction ID: e74ee9ca71d2faffc0e15ee745fae3fbcffc5e2ba4e9d0ad4966c6ba7992b814
                                                          • Opcode Fuzzy Hash: 61ef1fefad16dc3c81f17f3435dfce1a575a34b9670d474c0f2521b0bdd6bf7a
                                                          • Instruction Fuzzy Hash: A2512776502261CFDB20CB68E88C7697FE0FF16324F289A29D292DB2E2D7309805C751
                                                          APIs
                                                          • GetLastError.KERNEL32(00000103,7FFFFFFF,0051C8B2,0051F1C7,00000000,?,?,00000000,00000001), ref: 005203AE
                                                          • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 005203BC
                                                          • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00520408
                                                            • Part of subcall function 0051CCA6: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,005203D1,00000001,00000074,?,?,00000000,00000001), ref: 0051CD9C
                                                          • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 005203E0
                                                          • GetCurrentThreadId.KERNEL32 ref: 005203F1
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                          • String ID:
                                                          • API String ID: 2020098873-0
                                                          • Opcode ID: 3e1561b0d60df2ba709d0f1f7ee21b2c7e604de6615f5a0fed07d3b4cddb9e78
                                                          • Instruction ID: 934b10d7a9e11476fda2d98b13fb906a35a6111a38e5fa7ed2e9ef619017d264
                                                          • Opcode Fuzzy Hash: 3e1561b0d60df2ba709d0f1f7ee21b2c7e604de6615f5a0fed07d3b4cddb9e78
                                                          • Instruction Fuzzy Hash: 95F02B366022229FDB352B70BC0D95A7E31FF92771B108919F941D63E1CF308C4296B1
                                                          APIs
                                                          • EnterCriticalSection.KERNEL32(007E5D70,?,00000000,?,?,00536506,00000010,?,00000000,?,?,?,00535EED,00535F50,005357C6,00535EF3), ref: 005371D0
                                                          • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00536506,00000010,?,00000000,?,?,?,00535EED,00535F50,005357C6,00535EF3), ref: 005371E2
                                                          • LeaveCriticalSection.KERNEL32(007E5D70,?,00000000,?,?,00536506,00000010,?,00000000,?,?,?,00535EED,00535F50,005357C6,00535EF3), ref: 005371EB
                                                          • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00536506,00000010,?,00000000,?,?,?,00535EED,00535F50,005357C6,00535EF3,005312F7), ref: 005371FD
                                                            • Part of subcall function 00537102: GetVersion.KERNEL32(?,005371A5,?,00536506,00000010,?,00000000,?,?,?,00535EED,00535F50,005357C6,00535EF3,005312F7,0053259F), ref: 00537115
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$Enter$InitializeLeaveVersion
                                                          • String ID: p]~
                                                          • API String ID: 1193629340-320392800
                                                          • Opcode ID: 9ea5a6949c09d744af9e703b255057b375412993c03607b6b785b3b6a8fa56c6
                                                          • Instruction ID: 4e4372c2b8762f1ed0aaecc06bf45f32413e2340a6e9bdf592007e74f63ed9db
                                                          • Opcode Fuzzy Hash: 9ea5a6949c09d744af9e703b255057b375412993c03607b6b785b3b6a8fa56c6
                                                          • Instruction Fuzzy Hash: 4CF04FBA50665EDFCB20DFA4FCC8956B77DFB2C31AB404426F60586021D734E455CA68
                                                          APIs
                                                          • wsprintfA.USER32 ref: 10027B78
                                                          • MessageBoxA.USER32(00000000,?,error,00000010), ref: 10027B8F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: Messagewsprintf
                                                          • String ID: error$program internal error number is %d. %s
                                                          • API String ID: 300413163-3752934751
                                                          • Opcode ID: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                          • Instruction ID: e1549d366f44cd83cf328da68a9c66535f66093051f9031b2c984319b6cde580
                                                          • Opcode Fuzzy Hash: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                          • Instruction Fuzzy Hash: B9E092755002006BE344EBA4ECAAFAA33A8E708701FC0085EF34981180EBB1A9548616
                                                          APIs
                                                          • HeapAlloc.KERNEL32(00000000,00002020,007A81D0,007A81D0,?,?,00524E68,00000000,00000010,00000000,00000009,00000009,?,0051BEF1,00000010,00000000), ref: 005249BD
                                                          • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00524E68,00000000,00000010,00000000,00000009,00000009,?,0051BEF1,00000010,00000000), ref: 005249E1
                                                          • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00524E68,00000000,00000010,00000000,00000009,00000009,?,0051BEF1,00000010,00000000), ref: 005249FB
                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00524E68,00000000,00000010,00000000,00000009,00000009,?,0051BEF1,00000010,00000000,?), ref: 00524ABC
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00524E68,00000000,00000010,00000000,00000009,00000009,?,0051BEF1,00000010,00000000,?,00000000), ref: 00524AD3
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual$FreeHeap
                                                          • String ID:
                                                          • API String ID: 714016831-0
                                                          • Opcode ID: 4d5795f96e935a14ec4f40d6458586451b341b0902c93f6c1ff3425f409d2d18
                                                          • Instruction ID: 68db858c95cfd1a549588c7097b8e0c7abcff402196b57f1dd8bfb6505046ab8
                                                          • Opcode Fuzzy Hash: 4d5795f96e935a14ec4f40d6458586451b341b0902c93f6c1ff3425f409d2d18
                                                          • Instruction Fuzzy Hash: 5A312071A817159BD320CF28FC44B22BAE5FB86750F108639E5559B2D0EB78A8408F59
                                                          APIs
                                                          • malloc.MSVCRT ref: 10029FB3
                                                          • LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,?,?,000009DC,00000000,?,10028774,00000001,?), ref: 10029FE7
                                                          • free.MSVCRT ref: 10029FF6
                                                          • free.MSVCRT ref: 1002A014
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: free$Stringmalloc
                                                          • String ID:
                                                          • API String ID: 3576809655-0
                                                          • Opcode ID: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                          • Instruction ID: fe1f6c240ce4a888f48c4ee73cb5f64fbc811d22bf13276520b53d25543597c8
                                                          • Opcode Fuzzy Hash: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                          • Instruction Fuzzy Hash: 2311D27A2042042BD348DA78AC45E7BB3D9DBC5265FA0463EF226D22C1EE71ED094365
                                                          APIs
                                                          • GetVersion.KERNEL32 ref: 0051A52F
                                                            • Part of subcall function 00520588: HeapCreate.KERNEL32(00000000,00001000,00000000,0051A567,00000001), ref: 00520599
                                                            • Part of subcall function 00520588: HeapDestroy.KERNEL32 ref: 005205D8
                                                          • GetCommandLineA.KERNEL32 ref: 0051A58F
                                                          • GetStartupInfoA.KERNEL32(?), ref: 0051A5BA
                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0051A5DD
                                                            • Part of subcall function 0051A636: ExitProcess.KERNEL32 ref: 0051A653
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                          • String ID:
                                                          • API String ID: 2057626494-0
                                                          • Opcode ID: 5ed8fc3c02823a4202ba596287148609586901291b66cf97aa2b2d9f2f2980d9
                                                          • Instruction ID: 87813a256b5383736a28975fa4f3c478383fe933baf9cb57af6a6e245495cad0
                                                          • Opcode Fuzzy Hash: 5ed8fc3c02823a4202ba596287148609586901291b66cf97aa2b2d9f2f2980d9
                                                          • Instruction Fuzzy Hash: D521E4B0C0578A9FEB04ABB0EC4EAAD7FB8FF45704F104129F9019A2D1DB388880C761
                                                          APIs
                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000020,00000000,00000000,00000000,80000005), ref: 10028DC8
                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9), ref: 10028E07
                                                          • CloseHandle.KERNEL32(00000000,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E1A
                                                          • CloseHandle.KERNEL32(00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E35
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2930583899.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_10000000_S17.jbxd
                                                          Similarity
                                                          • API ID: CloseFileHandle$CreateWrite
                                                          • String ID:
                                                          • API String ID: 3602564925-0
                                                          • Opcode ID: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                          • Instruction ID: f6076fed0b983a52129b8cb4bf2c1cdfe7202da6017c1e667b93af5c44e6f27f
                                                          • Opcode Fuzzy Hash: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                          • Instruction Fuzzy Hash: 39118E36201301ABE710DF18ECC5F6BB7E8FB84714F550919FA6497290D370E90E8B66
                                                          APIs
                                                          • GetCPInfo.KERNEL32(?,00000000), ref: 0051F713
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: Info
                                                          • String ID: $
                                                          • API String ID: 1807457897-3032137957
                                                          • Opcode ID: 041f14e6359c40e110e6e9075aad687c66ad8b4cebb70bc142e2e03c45334d30
                                                          • Instruction ID: ab07f19c13149a0ef12433ada24027e58874ef0d0aa273af1aa89430f7862ca0
                                                          • Opcode Fuzzy Hash: 041f14e6359c40e110e6e9075aad687c66ad8b4cebb70bc142e2e03c45334d30
                                                          • Instruction Fuzzy Hash: 2C4149320052A87AFB11DB14DD99FEA7FA8FB1A700F1445F5D646CB192C2394A84DBA3
                                                          APIs
                                                            • Part of subcall function 0051D44C: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0051A5E9,00000000), ref: 0051D47A
                                                          • __EH_prolog.LIBCMT ref: 0052A63B
                                                          • lstrcpynA.KERNEL32(?,?,00000104), ref: 0052A728
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: ExceptionH_prologRaiselstrcpyn
                                                          • String ID: 0@~
                                                          • API String ID: 2915105959-2632855484
                                                          • Opcode ID: a2d5e0684046290b5e10c32e4955e4884d10c38e17d83f1a7c7010f4d86870d7
                                                          • Instruction ID: 2e9c89a60c701ad596b26f60d460b35a3198e5839f2904d9daf61cedbdea8777
                                                          • Opcode Fuzzy Hash: a2d5e0684046290b5e10c32e4955e4884d10c38e17d83f1a7c7010f4d86870d7
                                                          • Instruction Fuzzy Hash: B54157B0600705AFD711DF68D885B9BBFF4FF45304F04482EE59A97282D7B4A944CB66
                                                          APIs
                                                          • HeapReAlloc.KERNEL32(00000000,?,00000000,00000000,005242C2,00000000,00000000,00000000,0051BE93,00000000,00000000,?,00000000,00000000,00000000), ref: 00524522
                                                          • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,005242C2,00000000,00000000,00000000,0051BE93,00000000,00000000,?,00000000,00000000,00000000), ref: 00524556
                                                          • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00524570
                                                          • HeapFree.KERNEL32(00000000,?), ref: 00524587
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: AllocHeap$FreeVirtual
                                                          • String ID:
                                                          • API String ID: 3499195154-0
                                                          • Opcode ID: da57bcf1bcf626effddd66c01784a3daed996f173d47f026efeb532fbfe14ffe
                                                          • Instruction ID: 1ee8ee885daa6e84748a58175d0edf56f79c686e77a936ca95c84200b46b91e7
                                                          • Opcode Fuzzy Hash: da57bcf1bcf626effddd66c01784a3daed996f173d47f026efeb532fbfe14ffe
                                                          • Instruction Fuzzy Hash: 361158332013819FC720CF28FC859A2BBB5FB897247148A19F3A6CA2B0D3B59845DF54
                                                          APIs
                                                          • InitializeCriticalSection.KERNEL32(?,0052034B,?,0051A579), ref: 00522C28
                                                          • InitializeCriticalSection.KERNEL32(?,0052034B,?,0051A579), ref: 00522C30
                                                          • InitializeCriticalSection.KERNEL32(?,0052034B,?,0051A579), ref: 00522C38
                                                          • InitializeCriticalSection.KERNEL32(?,0052034B,?,0051A579), ref: 00522C40
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2928129164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000005.00000002.2928108731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000677000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928222734.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928416034.0000000000793000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928435830.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928453365.0000000000797000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928473340.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928491808.00000000007A1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928514320.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928532598.00000000007A8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007B6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007E4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928551082.00000000007EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000007F2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000005.00000002.2928650363.00000000008EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_S17.jbxd
                                                          Similarity
                                                          • API ID: CriticalInitializeSection
                                                          • String ID:
                                                          • API String ID: 32694325-0
                                                          • Opcode ID: 897d6151f6e29b4ead05583e689f077f6d00e6372729029d2dd993c98794d7a6
                                                          • Instruction ID: f19e875aee3abb21faea54addff1ce771f2f99497a523bd9a06963582b441486
                                                          • Opcode Fuzzy Hash: 897d6151f6e29b4ead05583e689f077f6d00e6372729029d2dd993c98794d7a6
                                                          • Instruction Fuzzy Hash: A7C0023180D038AECA166B55FD0585A3F75EB8B26130184E3B1045213086651D12EFD4